Interesting links, thanks. Looking into the second one, I noticed this commit: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/netinet6/nd6_nbr.c.diff?r1=1.117&r2=1.118&f=h
It seems like OpenBSD should respond to NS addressed to both global or link-local addresses on the upstream interface. I also set net.inet6.icmp6.nd6_debug=1, but haven't seen anything related in the logs. On 7/31/19 8:23 PM, john slee wrote:
Hi, I'm having very similar problems to this, I think. Syspatch'ed OpenBSD 6.5 on an apu4c4, with my ISP-supplied termination device (cable modem, effectively) directly attached to an ethernet interface. No switch. IPv4 works fine. DHCPv6 NA+PD seems to work OK — I get v6 NA & PD assignments — but I can't ping anything beyond my gateway. If I use the ISP-supplied router I have fully functional dualstack networking. I saw sthen@'s recent post on this topic with his configs included. I adjusted my configs (which were already pretty close) to reflect what he'd done, but no joy :-(. FWIW my ISP is Telstra in Australia. Looking around a bit I found a pfSense discussion wherein the suggestion was to make a config change to what I assume underneath the pfSense UI is FreeBSD's "net.inet6.icmp6.nd6_onlink_ns_rfc4861" sysctl: https://whirlpool.net.au/wiki/pfsense_ipv6_telstra But I also found this old discussion that suggested that OpenBSD's behaviour here — and lack of this particular knob — was a result of a nasty old CVE: https://misc.openbsd.narkive.com/3KdNDcEM/openbsd-ignoring-rfc-compliant-ipv6-neighbor-solicitation#post1 My next discovery step is to boot Debian on my spare apu4c4 and see if it works there, capture some traffic, etc. I don't want to use that as a gateway, though. John On Tue, 30 Jul 2019 at 16:22, Kyle <arad...@tma-0.net> wrote:Hi all, I'm trying to get IPv6 set up on a firewall box running 6.4. I'm using dhcpcd to get an NA and several PDs, which appears to be working fine, but no normal v6 traffic can be sent or received. tcpdump on the egress interface (em3) shows lots of icmp6 neighbor solicits going back and forth, but no responses from either side: $ ifconfig em3 em3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 0c:c4:7a:ad:2a:e7 index 4 priority 0 llprio 3 groups: egress media: Ethernet autoselect (1000baseT full-duplex) status: active inet6 fe80::8dfc:5795:8ab7:e2b%em3 prefixlen 64 scopeid 0x4 inet <omitted> netmask 0xffffe000 broadcast <omitted> inet6 2605:a601:fe07:c900::1 prefixlen 128 pltime 64553 vltime 86153 $ tcpdump -nlp -i em3 ip6 ... neighbor sol repeating many times ... 22:46:53.876457 fe80::8dfc:5795:8ab7:e2b > ff02::1:ffea:4ff0: icmp6: neighbor sol: who has fe80::2d0:f6ff:feea:4ff0 22:47:01.876688 fe80::2d0:f6ff:feea:4ff0 > 2605:a601:fe07:c900::1: icmp6: neighbor sol: who has 2605:a601:fe07:c900::1 [class 0xc0] 22:47:01.876778 fe80::8dfc:5795:8ab7:e2b > ff02::1:ffea:4ff0: icmp6: neighbor sol: who has fe80::2d0:f6ff:feea:4ff0 22:47:01.877542 fe80::2d0:f6ff:feea:4ff0 > fe80::8dfc:5795:8ab7:e2b: icmp6: neighbor sol: who has fe80::8dfc:5795:8ab7:e2b [class 0xc0] 22:47:02.876594 fe80::8dfc:5795:8ab7:e2b > ff02::1:ffea:4ff0: icmp6: neighbor sol: who has fe80::2d0:f6ff:feea:4ff0 22:47:03.876603 fe80::8dfc:5795:8ab7:e2b > ff02::1:ffea:4ff0: icmp6: neighbor sol: who has fe80::2d0:f6ff:feea:4ff0 22:47:32.337233 fe80::8dfc:5795:8ab7:e2b.546 > ff02::1:2.547: dhcp6 release [hlim 1] 22:47:32.515413 fe80::2d0:f6ff:feea:4ff0.547 > fe80::8dfc:5795:8ab7:e2b.546: dhcp6 [class 0xc0] I added "pass quick on em3 inet6" to the top of pf.conf to make sure the responses aren't being filtered. The peer LL address is always marked incomplete: $ ndp -na | grep em3 2605:a601:fe07:c900::1 0c:c4:7a:ad:2a:e7 em3 permanent R l fe80::2d0:f6ff:feea:4ff0%em3 00:d0:f6:ea:51:96 em3 expired I R fe80::8dfc:5795:8ab7:e2b%em3 0c:c4:7a:ad:2a:e7 em3 permanent R l Pinging any v6 address outside my network only results in one fe80::8dfc:5795:8ab7:e2b > ff02::1:ffea:4ff0: icmp6: neighbor sol: who has fe80::2d0:f6ff:feea:4ff0 per ping sent. Routes: $ route -n show -inet6 | grep em3 default fe80::2d0:f6ff:feea:4ff0%em3 UGS 0 53699 - 8 em3 2605:a601:fe07:c900::1 0c:c4:7a:ad:2a:e7 UHLl 0 1752 - 1 em3 fe80::%em3/64 fe80::8dfc:5795:8ab7:e2b%em3 UCn 1 1 - 4 em3 fe80::2d0:f6ff:feea:4ff0%em3 00:d0:f6:ea:51:96 UHLch 1 720183 - 3 em3 fe80::8dfc:5795:8ab7:e2b%em3 0c:c4:7a:ad:2a:e7 UHLl 0 110606 - 1 em3 ff01::%em3/32 fe80::8dfc:5795:8ab7:e2b%em3 Um 0 3 - 4 em3 ff02::%em3/32 fe80::8dfc:5795:8ab7:e2b%em3 Um 0 161322 - 4 em3 There is a managed switch between the firewall's egress and the ISP, but it's not doing any packet filtering. I'm currently out of ideas; any suggestions would be much appreciated.
