Interesting links, thanks. Looking into the second one, I noticed this commit:
https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/netinet6/nd6_nbr.c.diff?r1=1.117&r2=1.118&f=h
It seems like OpenBSD should respond to NS addressed to both global or link-local addresses on the upstream interface.
I also set net.inet6.icmp6.nd6_debug=1, but haven't seen anything related in the logs.
On 7/31/19 8:23 PM, john slee wrote:
> Hi,
>
> I'm having very similar problems to this, I think. Syspatch'ed OpenBSD 6.5
> on an apu4c4, with my ISP-supplied termination device (cable modem,
> effectively) directly attached to an ethernet interface. No switch. IPv4
> works fine. DHCPv6 NA+PD seems to work OK — I get v6 NA & PD assignments —
> but I can't ping anything beyond my gateway. If I use the ISP-supplied
> router I have fully functional dualstack networking.
>
> I saw sthen@'s recent post on this topic with his configs included. I
> adjusted my configs (which were already pretty close) to reflect what he'd
> done, but no joy :-(.
>
> FWIW my ISP is Telstra in Australia. Looking around a bit I found a pfSense
> discussion wherein the suggestion was to make a config change to what I
> assume underneath the pfSense UI is FreeBSD's
> "net.inet6.icmp6.nd6_onlink_ns_rfc4861" sysctl:
>
> https://whirlpool.net.au/wiki/pfsense_ipv6_telstra
>
> But I also found this old discussion that suggested that OpenBSD's
> behaviour here — and lack of this particular knob — was a result of a nasty
> old CVE:
>
>
> https://misc.openbsd.narkive.com/3KdNDcEM/openbsd-ignoring-rfc-compliant-ipv6-neighbor-solicitation#post1
>
> My next discovery step is to boot Debian on my spare apu4c4 and see if it
> works there, capture some traffic, etc. I don't want to use that as a
> gateway, though.
>
> John
>
> On Tue, 30 Jul 2019 at 16:22, Kyle <aradian@tma-0.net> wrote:
>
>> Hi all,
>>
>> I'm trying to get IPv6 set up on a firewall box running 6.4. I'm using
>> dhcpcd to get an NA and several PDs, which appears to be working fine, but
>> no normal v6 traffic can be sent or received. tcpdump on the egress
>> interface (em3) shows lots of icmp6 neighbor solicits going back and forth,
>> but no responses from either side:
>>
>>
>> $ ifconfig em3
>> em3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>> lladdr 0c:c4:7a:ad:2a:e7
>> index 4 priority 0 llprio 3
>> groups: egress
>> media: Ethernet autoselect (1000baseT full-duplex)
>> status: active
>> inet6 fe80::8dfc:5795:8ab7:e2b%em3 prefixlen 64 scopeid 0x4
>> inet <omitted> netmask 0xffffe000 broadcast <omitted>
>> inet6 2605:a601:fe07:c900::1 prefixlen 128 pltime 64553 vltime
>> 86153
>>
>>
>> $ tcpdump -nlp -i em3 ip6
>> ... neighbor sol repeating many times ...
>> 22:46:53.876457 fe80::8dfc:5795:8ab7:e2b > ff02::1:ffea:4ff0: icmp6:
>> neighbor sol: who has fe80::2d0:f6ff:feea:4ff0
>> 22:47:01.876688 fe80::2d0:f6ff:feea:4ff0 > 2605:a601:fe07:c900::1: icmp6:
>> neighbor sol: who has 2605:a601:fe07:c900::1 [class 0xc0]
>> 22:47:01.876778 fe80::8dfc:5795:8ab7:e2b > ff02::1:ffea:4ff0: icmp6:
>> neighbor sol: who has fe80::2d0:f6ff:feea:4ff0
>> 22:47:01.877542 fe80::2d0:f6ff:feea:4ff0 > fe80::8dfc:5795:8ab7:e2b:
>> icmp6: neighbor sol: who has fe80::8dfc:5795:8ab7:e2b [class 0xc0]
>> 22:47:02.876594 fe80::8dfc:5795:8ab7:e2b > ff02::1:ffea:4ff0: icmp6:
>> neighbor sol: who has fe80::2d0:f6ff:feea:4ff0
>> 22:47:03.876603 fe80::8dfc:5795:8ab7:e2b > ff02::1:ffea:4ff0: icmp6:
>> neighbor sol: who has fe80::2d0:f6ff:feea:4ff0
>> 22:47:32.337233 fe80::8dfc:5795:8ab7:e2b.546 > ff02::1:2.547: dhcp6
>> release [hlim 1]
>> 22:47:32.515413 fe80::2d0:f6ff:feea:4ff0.547 >
>> fe80::8dfc:5795:8ab7:e2b.546: dhcp6 [class 0xc0]
>>
>>
>> I added "pass quick on em3 inet6" to the top of pf.conf to make sure the
>> responses aren't being filtered.
>>
>> The peer LL address is always marked incomplete:
>>
>> $ ndp -na | grep em3
>> 2605:a601:fe07:c900::1 0c:c4:7a:ad:2a:e7 em3 permanent R
>> l
>> fe80::2d0:f6ff:feea:4ff0%em3 00:d0:f6:ea:51:96 em3 expired I
>> R
>> fe80::8dfc:5795:8ab7:e2b%em3 0c:c4:7a:ad:2a:e7 em3 permanent R
>> l
>>
>>
>> Pinging any v6 address outside my network only results in one
>> fe80::8dfc:5795:8ab7:e2b > ff02::1:ffea:4ff0: icmp6: neighbor sol: who has
>> fe80::2d0:f6ff:feea:4ff0
>>
>> per ping sent.
>>
>> Routes:
>>
>> $ route -n show -inet6 | grep em3
>> default fe80::2d0:f6ff:feea:4ff0%em3 UGS 0 53699 - 8 em3
>> 2605:a601:fe07:c900::1 0c:c4:7a:ad:2a:e7 UHLl 0
>> 1752 - 1 em3
>> fe80::%em3/64 fe80::8dfc:5795:8ab7:e2b%em3 UCn 1 1 - 4
>> em3
>> fe80::2d0:f6ff:feea:4ff0%em3 00:d0:f6:ea:51:96 UHLch 1
>> 720183 - 3 em3
>> fe80::8dfc:5795:8ab7:e2b%em3 0c:c4:7a:ad:2a:e7 UHLl 0
>> 110606 - 1 em3
>> ff01::%em3/32 fe80::8dfc:5795:8ab7:e2b%em3 Um 0 3 - 4
>> em3
>> ff02::%em3/32 fe80::8dfc:5795:8ab7:e2b%em3 Um 0 161322 - 4
>> em3
>>
>>
>> There is a managed switch between the firewall's egress and the ISP, but
>> it's not doing any packet filtering. I'm currently out of ideas; any
>> suggestions would be much appreciated.
>>
>>
>>
No comments:
Post a Comment