The issue where APs rrop function intercepts RA packets causing terminals to fail learning IPv6 gateway information

AC --- FIT AP local forwarding, IPv4 + IPv6 dual stack

After connecting to the wireless network, the wireless terminal can learn the IPv4 ARP information of the gateway but fails to acquire the IPv6 information of the gateway.

When connected to a wired network within the same VLAN segment, the terminal can correctly learn both IPv4 and IPv6 gateway information.

After associating with the wireless network, the terminal learns the gateway IPv4 information by sending an arp request broadcast packet. The gateway receives it and replies with an arp reply packet, which the terminal receives to learn the gateway IPv4 information.

The terminal learns the gateway IPv6 information by sending an RS (Router Solicitation) message, which the gateway receives and replies with an RA (Router Advertisement) message. Therefore, failure to learn the gateway IPv6 information may be due to packet loss of the RS or RA messages in intermediate equipment.

Since no wireless packet capture card or MacBook was available on-site for air interface packet capture, and the wireless air interface environment appeared favorable, it was decided to start by examining the wired-side transmission of packets. However, as the POE switch uplink from the AP was located quite far away in the weak current well, it was decided to first use the highly convenient AP debug method to capture packet transmission on the AP.

Considering the packet transmission process on the AP involves the following steps: air interface driver → wlan forwarding platform → wired forwarding → physical port transmission to the upstream switch, therefore, enable the following debug on the AP where the terminal will connect (this AP has only radio 1 enabled). Use the MAC address of the test terminal as the filter condition. After enabling debug, have the terminal connect to this AP to reproduce the issue.

[AP-Probe] debugging ar5drv 1 packet all mac HHHH-HHHH-HHHH verbose
[AP-Probe] debugging system internal wlan forward packet content hh:hh:hh:hh:hh:hh
[AP-Probe] debugging system internal mac-forwarding packet content hh:hh:hh:hh:hh:hh
<AP> debugging wlan forward error
<AP> debugging mac-forwarding packet
<AP> debugging mac-forwarding error

Through software resolve: After discovering the terminal associated SSID, multiple RS messages were sent to probe IPv6 gateway information, but no RA messages were received, whether during the process of resolving ar5drv or wlanfw.

Viewing the configuration under the AP group view on the AC, it was found that the following configurations exist: rrop anti-bmc default-action deny and rrop anti-bmc ipv4-and-ipv6-simple enable. Generally, functions like rrop multicast and broadcast suppression are relatively easy to intercept such multicast or broadcast packets. Therefore, the related configurations were removed. After removal, it was observed that the AP correctly forwarded the RS packets from the terminal requesting IPv6 information from the gateway and the RA packets replied by the gateway.

At this point, checking the terminal also shows that the IPv6 information of the gateway is correctly learned:

After checking the known issue list of AC, it was confirmed that there is indeed a similar question record. The on-site AC version is older than R5466, and the root cause of this known issue is that the rrop function in the AP wlan platform forwarding module intercepted the RA packets replied by the gateway, resulting in the terminal being unable to learn the gateway IPv6 information.

Upgrade the AC and AP versions and reserve the configuration of the rrop multicast broadcast suppression function.