Am Mon, 8 Jan 2024 01:33:53 +0100 (CET) Felix Reichenberger <felix.reichenber...@tuta.io> schrieb:
> > Hello, > > > > I've got a problem with recent CURRENT, running vnet JAILs. > > FreeBSD 15.0-CURRENT #28 main-n267432-e5b33e6eef7: Sun Jan 7 13:18:15 CET > > 2024 amd64 > > > > Main Host has IPFW configured and is open for services like OpenLDAP on > > UDP/TCP and ICMP > > (ipfw is configured via rc.conf in this case, host is listening on both > > protocol families > > IPv4 and IPv6). > > > > The host itself has openldap-server 2.6 as a service. The host's interface > > is igb0 with > > assigned ULA. JAILs (around eight jails) are sharing their vnet interfaces > > via a bridge > > with the same physical device as the host (igb0). After a while (the time > > elapsed is > > unspecific) the jail is unable to contact the host via IPv6: neither UDP, > > TCP nor ICMP > > sent from the JAIL is reaching the host. IPv4 is working like a charme! No > > problems there. > > > > When pinging the Jail from the main host via ping -6, the jail is > > responding! After the > > first ping -6, the jail now is able to ping -6 the main host. > > > > After a fresh reboot, the problem is not present and occurs after a while > > and it seems to > > happen first to very active jails. > > > > Kind regards, > > > > oh > > > > > > -- > > O. Hartmann > > > > Hello, > > This behavior might be caused by IPFW blocking some IPv6 neighbor > discovery/advertisement > messages. > After some time, the link layer addresses of the IPv6 neighbors in the NDP > cache may expire, > making the associated IPv6 addresses inaccessible. > Do your IPFW rules allow ICMPv6 messages to and from IPv6 multicast addresses? > > Regards. > Thank you for responding. Thank you for his valuable hint! The jail(s) itself/themselfes as well as the host use the regular ipfw rc setup script as provided with the base system, adding simply those ports open which provide services - a plain and simple approach. Checking the jails on the host in question (jails are contacting OpenLDAP server on host, OpenLDAP server configured for test purposes to listen only on IPv6) leaves me with inconclusive results. Assuming a jail, called host-git, and a host, master. Deleting the NDP entries aon hostgit via "ndp -c" leaves me with the initial reported issue here, the solution is to ping the host-git first from host-master to "magically open" the IPv6 connection. After that, ldapsearch or any other IPv6 connections originating on the host-git work again. That seems odd. jails are vnet. Jails reside on a bridgeXX interface, sharing the physical NIC of the master host. Just for the record. I use a similar setup on a XigmaNAS host (13.2-RELEASE-p8), also with active IPFW on the master host's side as well as IPFW enabled on the Jail's side. Difference to the above mentioned setup: The jail is located on a different host, contacting master-host via a switched network. Regards, oh -- O. Hartmann
