My question - how can I find the cause (which steps to take) of my VLAN crossover issue?
Issue description
I have multiple VLAN’s defined in my environment. Two of them are VLAN 44 and VLAN 60. Both these VLAN’s are equipped with DHCP.
The problem I am experiencing is particularly good to see with IPv6, because IPv6 allows multiple IP addresses on the same interface. When connecting a VM to VLAN 60, it gets both IPv6 addresses from VLAN 60 and VLAN 44. The IPv4 address is sometimes form VLAN 60 and sometimes from VLAN 60.
Some further background
My environment consist of a physical pfSense firewall, Unifi switches and a XCP-ng server with multiple VM’s. I experience this crossover only between VLAN 44 and VLAN 60 and not on any of the other VLAN’s.
I think IPv6 is a red herring in this case. Interfaces can be set with multiple addresses regardless of IP version, but I think in this case you’d be better off solving this on the client end. If your client is really meant to accept traffic from both vlans, I’d go about it one of two ways:
Set your switch to allow a single native vlan and allow traffic from the other with ACLs or firewall rules; or
Create two virtual interfaces on your client so it can correctly interpret the vlan tags.
I think the former is usually simpler unless there’s a specific justification for the latter.
As @tvcvt said, the problem has nothing to do wit IPv6 (hence his use of the term red herring).
What OS are you using in the VM and what type of vNIC with which driver? It may not apply here, but there is a known issue with the Intel network driver on Windows where an interface that is set to use only the native VLAN will also receive frames from other VLAN that are tagged on the connection, resulting in the behavior you descibed.
The VM runs Rocky Linux and the virtualized driver is Realtek. Within the VM I do not select a VLAN. On the XCP server, I have created separate networks for the different VLANs. So, the network selected should only contain VLAN 60 (without any vlan tags).
I have more networks defined this way in XCP and they all work as expected. For instance, I have also a network defined for VLAN 70 and that works as expected.