laduke
commented
1 year ago Glad you found it. I wonder if anyone else has experienced this.
Is it just: CenturyLinks' 6RD, 6RD in general, the MTU... or what combination?
The mtu on this interface is only 1280, so that may possibly be the issue?
maybe!?
It'd be nice to exactly where it's breaking, but that's hard to figure out with the current debugging tools, and you need access to 6RD.
Might add "settings": {"interfacePrefixBlacklist": ["wan_stf"]} to the list of recommendations in the opnsense docs for now.
darkain
Please let us know
What you expect to be happening. Stable connectivity between nodes
What is actually happening?
zerotier peersshows connectivity, but can no longer ping between host's ZT IP addresses. All tunneled communication between nodes stops working.Any steps to reproduce the error. Just start ZT, and it'll soon break
Any relevant console output or screenshots. n/a
What operating system and ZeroTier version. Please try the latest ZeroTier release. OPNsense (FreeBSD 13.x) with latest ZeroTier 1.12.2
Backstory, as many of the ZT staff are aware, I've been running an edge router network with ZeroTier on the routers and OSPF on top of that to manage LAN route delegation between routers for several years. Every router is OPNsense based. I've had on-and-off connectivity issues the entire time with this setup, mostly centering around a particular node's connectivity. Some nodes would maintain stable connectivity with it, others would work after a "service zerotier restart", and then fail after a few minutes to a few hours, sometimes coming back again in a few minutes/hours, flapping back and forth over time.
After years of grueling trial and error, I think I've finally pinpointed the configuration that breaks things!
The two nodes that would always stop talking to each other are both dual-stacked WAN, while every other node in the mesh is IPv4 only. One node is native dual-stack, the other is CenturyLink's 6RD IPv6 implementation. I upgraded a 3rd node to IPv6 native connectivity, and the two nodes with native IPv6 communicated between each other without an issue. However, as soon as the active connection between the 6RD and this new IPv6 node became active (switching from v4 to v6), it instantly broke, just like the previous connection.
Node A: IPv4 + 6RD Node B: IPv4 + IPv6 Native Node C: IPv4 + IPv6 Native
A <> B (IPv4) works A <> B (IPv6) breaks instantly
A <> C (IPv4) works A <> C (IPv6) breaks instantly
B <> C (IPv4) works B <> C (IPv6) works
ZeroTier makes multiple UDP connections between each host. I monitored the connection to see which one was active (one of the IPv4 or IPv6 connections) using
zerotier -j peers. Whenever a 6RD enabled host swapped to one of the IPv6 connections, no data would flow through the ZeroTier tunnel anymore.The 6RD feature on OPNsense/FreeBSD creates a separate interface in FreeBSD, so I have
re0forWANandwan_stffor the6RDinterface. So they are two separate interfaces, rather than a single interface with dual-stack IPs. Themtuon this interface is only1280, so that may possibly be the issue?I'm now running with a local config on these 6RD enabled nodes of
"settings": {"interfacePrefixBlacklist": ["wan_stf"]}to prevent ZT from binding to this interface entirely. Having ZT work exclusively on IPv4 on these boxes is working for the time being.It would however be nice to have dual stack working again.
(really, I blame CenturyLink for this mostly, offering a crap half-assed IPv6 implementation instead of true native dual-stack)