Hi,
I'm having very similar problems to this, I think. Syspatch'ed OpenBSD 6.5
on an apu4c4, with my ISP-supplied termination device (cable modem,
effectively) directly attached to an ethernet interface. No switch. IPv4
works fine. DHCPv6 NA+PD seems to work OK — I get v6 NA & PD assignments —
but I can't ping anything beyond my gateway. If I use the ISP-supplied
router I have fully functional dualstack networking.
I saw sthen@'s recent post on this topic with his configs included. I
adjusted my configs (which were already pretty close) to reflect what he'd
done, but no joy :-(.
FWIW my ISP is Telstra in Australia. Looking around a bit I found a pfSense
discussion wherein the suggestion was to make a config change to what I
assume underneath the pfSense UI is FreeBSD's
"net.inet6.icmp6.nd6_onlink_ns_rfc4861" sysctl:
https://whirlpool.net.au/wiki/pfsense_ipv6_telstra
But I also found this old discussion that suggested that OpenBSD's
behaviour here — and lack of this particular knob — was a result of a nasty
old CVE:
https://misc.openbsd.narkive.com/3KdNDcEM/openbsd-ignoring-rfc-compliant-ipv6-neighbor-solicitation#post1
My next discovery step is to boot Debian on my spare apu4c4 and see if it
works there, capture some traffic, etc. I don't want to use that as a
gateway, though.
John
On Tue, 30 Jul 2019 at 16:22, Kyle <aradian@tma-0.net> wrote:
> Hi all,
>
> I'm trying to get IPv6 set up on a firewall box running 6.4. I'm using
> dhcpcd to get an NA and several PDs, which appears to be working fine, but
> no normal v6 traffic can be sent or received. tcpdump on the egress
> interface (em3) shows lots of icmp6 neighbor solicits going back and forth,
> but no responses from either side:
>
>
> $ ifconfig em3
> em3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> lladdr 0c:c4:7a:ad:2a:e7
> index 4 priority 0 llprio 3
> groups: egress
> media: Ethernet autoselect (1000baseT full-duplex)
> status: active
> inet6 fe80::8dfc:5795:8ab7:e2b%em3 prefixlen 64 scopeid 0x4
> inet <omitted> netmask 0xffffe000 broadcast <omitted>
> inet6 2605:a601:fe07:c900::1 prefixlen 128 pltime 64553 vltime
> 86153
>
>
> $ tcpdump -nlp -i em3 ip6
> ... neighbor sol repeating many times ...
> 22:46:53.876457 fe80::8dfc:5795:8ab7:e2b > ff02::1:ffea:4ff0: icmp6:
> neighbor sol: who has fe80::2d0:f6ff:feea:4ff0
> 22:47:01.876688 fe80::2d0:f6ff:feea:4ff0 > 2605:a601:fe07:c900::1: icmp6:
> neighbor sol: who has 2605:a601:fe07:c900::1 [class 0xc0]
> 22:47:01.876778 fe80::8dfc:5795:8ab7:e2b > ff02::1:ffea:4ff0: icmp6:
> neighbor sol: who has fe80::2d0:f6ff:feea:4ff0
> 22:47:01.877542 fe80::2d0:f6ff:feea:4ff0 > fe80::8dfc:5795:8ab7:e2b:
> icmp6: neighbor sol: who has fe80::8dfc:5795:8ab7:e2b [class 0xc0]
> 22:47:02.876594 fe80::8dfc:5795:8ab7:e2b > ff02::1:ffea:4ff0: icmp6:
> neighbor sol: who has fe80::2d0:f6ff:feea:4ff0
> 22:47:03.876603 fe80::8dfc:5795:8ab7:e2b > ff02::1:ffea:4ff0: icmp6:
> neighbor sol: who has fe80::2d0:f6ff:feea:4ff0
> 22:47:32.337233 fe80::8dfc:5795:8ab7:e2b.546 > ff02::1:2.547: dhcp6
> release [hlim 1]
> 22:47:32.515413 fe80::2d0:f6ff:feea:4ff0.547 >
> fe80::8dfc:5795:8ab7:e2b.546: dhcp6 [class 0xc0]
>
>
> I added "pass quick on em3 inet6" to the top of pf.conf to make sure the
> responses aren't being filtered.
>
> The peer LL address is always marked incomplete:
>
> $ ndp -na | grep em3
> 2605:a601:fe07:c900::1 0c:c4:7a:ad:2a:e7 em3 permanent R
> l
> fe80::2d0:f6ff:feea:4ff0%em3 00:d0:f6:ea:51:96 em3 expired I
> R
> fe80::8dfc:5795:8ab7:e2b%em3 0c:c4:7a:ad:2a:e7 em3 permanent R
> l
>
>
> Pinging any v6 address outside my network only results in one
> fe80::8dfc:5795:8ab7:e2b > ff02::1:ffea:4ff0: icmp6: neighbor sol: who has
> fe80::2d0:f6ff:feea:4ff0
>
> per ping sent.
>
> Routes:
>
> $ route -n show -inet6 | grep em3
> default fe80::2d0:f6ff:feea:4ff0%em3 UGS 0 53699 - 8 em3
> 2605:a601:fe07:c900::1 0c:c4:7a:ad:2a:e7 UHLl 0
> 1752 - 1 em3
> fe80::%em3/64 fe80::8dfc:5795:8ab7:e2b%em3 UCn 1 1 - 4
> em3
> fe80::2d0:f6ff:feea:4ff0%em3 00:d0:f6:ea:51:96 UHLch 1
> 720183 - 3 em3
> fe80::8dfc:5795:8ab7:e2b%em3 0c:c4:7a:ad:2a:e7 UHLl 0
> 110606 - 1 em3
> ff01::%em3/32 fe80::8dfc:5795:8ab7:e2b%em3 Um 0 3 - 4
> em3
> ff02::%em3/32 fe80::8dfc:5795:8ab7:e2b%em3 Um 0 161322 - 4
> em3
>
>
> There is a managed switch between the firewall's egress and the ISP, but
> it's not doing any packet filtering. I'm currently out of ideas; any
> suggestions would be much appreciated.
>
>
>
No comments:
Post a Comment