-
Notifications
You must be signed in to change notification settings - Fork 693
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The IPv6 gateway is reported as offline if the WAN interface has a ULA address. #6939
Comments
@subnetspider thanks for the report... does this make sense? 89ee410
|
As far as I can tell, OPNsense will now check whether an IPv6 address is a ULA or not, and also gives ULAs a lower priority (GUA > LL > ULA ?) when determining the primary IPv6 address of an interface. |
Yes, the ULA comes first in your assignment causing dpinger to pick it up trying to reach a GUA, which then doesn’t work. Special ULA handling was never done on this code base as far as I can tell. Using Cheers, |
Allright, I have just spun up a OPNsense 23.7.6 VM ("OPNsense 2") and tried to reproduce the problem, as I don't have access to the other OPNsense ("OPNsense 1") right now. Interestingly, even though a ULA prefix is sent by the router I'm using here, What I noticed, however, is that while there is a ULA on the WAN interface in both cases, the order of the IPv6 addresses in ifconfig is different: OPNsense 1 with Problem:
OPNsense 2 without Problem:
This is also reflected in the RA send by the router with OPNsense 2, where the GUA prefix is being send before the ULA prefix:
My theory right now is that without the patch, OPNsense will pick the first IPv6 address on an interface it finds, and only if it gets a ULA before a GUA will the bug occur. I will apply the patch to the "OPNsense 1" firewall later this week to see if my theory is correct and this fixes the bug, but unfortunately I can't get there until Friday. Until then :) |
Yes, the ordering is exactly the issue here that will create the edge case that fails. Part of the problem with having ULA is also described quite a bit, for example here: https://blogs.infoblox.com/ipv6-coe/ula-is-broken-in-dual-stack-networks/ -- some vendors even tend to ignore it completely (a bit like we are doing for primary detection now, but primary for us means routable so GUA and not ULA/LLA so I think it fits better in the general code as opposed to restricting Dpinger setup itself). Cheers, |
Last evening I finally got around to applying the patch, and took some screenshots to document it, since I only had my smartphone with me. OPNsense GUI before applying the patch:
OPNsense CLI before applying the patch
OPNsense GUI after applying the patch
OPNsense CLI after applying the patch:
When I ran Cheers |
Yeah, it needs a gateway event trigger or routing reload. Some GUI options do this or it was a lucky coincidence that it happened right after applying. I will bring this into 23.7.7. Thanks for the report! |
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Describe the bug
IPv6 gateway reported as offline when there is a ULA address on the WAN interface because dpinger binds to the wrong address.
To Reproduce
Steps to reproduce the behavior:
fd00::/8
) in addition to the GUA prefix (2000::/3
).WAN_DHCP6
(orWAN_SLAAC
when using SLAAC).Disable Gateway Monitoring
checkbox.Monitor IP
like2001:4860:4860::8844
.Expected behavior
The IPv6 gateway
WAN_DHCP6
should beOnline
andRTT
andRTTd
should show some latency.Describe alternatives you considered
The IPv6 gateway
WAN_DHCP6
is reported asOffline
with 100% packet loss, even though IPv6 is working.Screenshots
Relevant log files
Output of
ifconfig igb1
:Output of
netstat -rn6
:Parameters of
dpinger
:Output of
tcpdump icmp6 -i igb1 -n -v
(WAN interface, no ICMP replies):Additional context
When I used the ISP routers addresses
fd80::1
(fd80::1%igb1
) orfd1f:5dbe:154f:1::1
forMonitor IP
, the IPv6 gateway was displayed asOnline
:When I set the Global Unicast Address I got from DHCPv6/SLAAC as static on the WAN interface and manually added a
IPv6 Upstream Gateway
with the addressfe80::1
(ISP Router), the IPv6 gateway was also displayed asOnline
.When I disabled the IPv6 ULA prefix
fd1f:5dbe:154f:1::/64
on the ISP Router when using SLAAC or DHCPv6 on the WAN interface, the IPv6 gateway was also displayed asOnline
.This leads me to believe that
/usr/local/bin/dpinger
just grabs the first IPv6 address it finds on the WAN interface to use as a source address / bind to that address.But since IPv6 ULA addresses are not routable over the Internet (unless you use NAT66), there is no way it will ever get an ICMP reply message, thus the IPv6 gateway will always be reported as
Offline
.For the next few days, I will not have access to other routers to use as gateways for OPNsense that advertise a ULA and GUA prefix, so my sample size is rather limited.
Environment
OPNsense 23.7.6-amd64
FreeBSD 13.2-RELEASE-p3
OpenSSL 1.1.1w 11 Sep 2023
AMD GX-222GC SOC with Radeon(TM) R5E Graphics (2 cores, 2 threads)
Network Intel® I350-T4
The text was updated successfully, but these errors were encountered: