interfaces: optionally support "auto_linklocal" in bridges

[nanosonde]

I am using OPNsense has a transparent filtering bridge, where WAN and LAN are bridged.
The new bridge interface works successfully for IPv4, but not for IPv6 as it does not receive a link local address, although I tried the DHCPv6 and SLAAC setting in the webgui for IPv6 interface configuration.

My main router's DHCPv6 server is configured to provide IA_PD and IA_ND.

Any idea how to fix this?

[nanosonde]

After doing some research I have found this pfSense issue.

The FreeBSD man page (man 4 if_bridge) says:

IPV6 SUPPORT
     if_bridge supports the AF_INET6 address family on bridge interfaces.  The
     following rc.conf(5) variable configures an IPv6 link-local address on
     bridge0 interface:

       ifconfig_bridge0_ipv6="up"

     or in a more explicit manner:

       ifconfig_bridge0_ipv6="inet6 auto_linklocal"

     However, the AF_INET6 address family has a concept of scope zone.  Bridg-
     ing multiple interfaces change the zone configuration because multiple
     links are merged to each other and form a new single link while the mem-
     ber interfaces still work individually.  This means each member interface
     still has a separate link-local scope zone and the if_bridge interface
     has another single, aggregated link-local scope zone at the same time.
     This situation is clearly against the description "zones of the same
     scope cannot overlap" in Section 5, RFC 4007.  Although it works in most
     cases, it can cause some conterintuitive or undesirable behavior in some
     edge cases when both of the if_bridge interface and one of the member
     interface have an IPv6 address and applications use both of them.

     To prevent this situation, if_bridge checks whether a link-local scoped
     IPv6 address is configured on a member interface to be added and the
     if_bridge interface.  When the if_bridge interface has IPv6 addresses,
     IPv6 addresses on the member interface will be automatically removed
     before the interface is added.

     This behavior can be disabled by setting sysctl(8) variable
     net.link.bridge.allow_llz_overlap to 1.

     Note that ACCEPT_RTADV and AUTO_LINKLOCAL interface flag are not enabled
     by default on if_bridge interface even when net.inet6.ip6.accept_rtadv
     and/or net.inet6.ip6.auto_linklocal is set to 1.

At the console I have manually setup a link local IPv6 address on the bridge interface which seems to work currently. The bridge interface receives an IPv6 address from the main router.

So it seems that OPNsense needs some enhancement to take care of this.

[karl047]

I found this Mail in Internet:
https://lists.freebsd.org/pipermail/freebsd-net/2009-April/021675.html
it looks like the problem with the bridge Interface ist known about 10 years ago!

Can you tell me please how I can enter the IPv6 link-local manually for the Bridge Interface on OPNsense at the console?

I'm looking for a solution since 3 months but no chance :-(

[fichtner]

Due to a private request: tickets are closed after a few months of inactivity to avoid stale work queues. I’ll reopen for now, but we need a continuation of discussion.

For the time being I’m absolutely unsure about the state of the described issue in FreeBSD as it relates to OPNsense (11.1 now in 18.7, 11.2 when we release 19.1).

[nanosonde]

Unfortunately, I am not using OPNsense anymore as it was chosen to use another firewall solution.
So I am not following this topic anymore, sorry!

[karl047]

@fichtner : Thank you very much for ReOpening this Ticket.

I have to say firstly, that I have IPv6 disabled on my configuration at the point as I created the Bridge Interface, I mean no assigned static IPv6 address or over Track Interface to WAN is configured on this Interface.

in comparison with the other Interfaces, the Bridge Interface gets no IPv6 Link-Local as it is created, therefore IPv6 on the Devices behind this Interface won’t work when a static IPv6 address is configured on this Interface, BUT, the Bridge Interface gets automatically an IPv6 Link-Local when its IPv6 address is over Track Interface configured !

The solution for that in pfs* forum a 5 years ago, from pendi : edit the file interfaces.inc ( /usr/local/etc/inc/ ), and what he wrote:

To fix this I added (copied) the following lines into interfaces.inc to the function "interface_bridge_configure" just before the line "if (isset($bridge['enablestp'])) {":

/* Create link local address for bridges */
$mac = get_interface_mac($bridge['bridgeif']);
$v6address = generate_ipv6_from_mac($mac);
mwexec("/sbin/ifconfig {$bridge['bridgeif']} inet6 {$v6address}");

I had to make a reboot after editing that file and it works perfectly over about 10 months without any problem, but I have to edit it after every Update, but as I said: it works perfectly, and the Bridge Interface becomes an assigned IPv6 Link-Local.

I hope it will help.

[fichtner]

Sorry this took so long. From the amount of reports and the little work required here but still nobody doing the integration work in 3 years one could argue that the configuration is rather exotic and not relevant most of the time. FWIW, now you can optionally enable link-local addresses for each bridge configuration.

[karl047]

thank you... I will try it soon...

…

Sent from my iPhone

On 25. Apr 2019, at 09:41, Franco Fichtner ***@***.***> wrote: Sorry this took so long. From the amount of reports and the little work required here but still nobody doing the integration work in 3 years one could argue that the configuration is rather exotic and not relevant most of the time. FWIW, now you can optionally enable link-local addresses in each bridge configuration. — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.