Date: Fri, 10 Jul 2020 18:57:35 -0400 From: Jon Radel <jon@radel.com> To: freebsd-questions@freebsd.org Subject: Re: trouble setting up ipv6 Message-ID: <b80af7d7-e7fc-b6aa-2df1-b2969f9cbf65@radel.com> In-Reply-To: <5F08D889.8080708@gmail.com> References: <5F088CAE.2090400@gmail.com> <a8339776-478e-2274-428e-5f451c06f0dc@radel.com> <5F08A3BA.8060401@gmail.com> <f63ed225-5b6a-765e-aee3-259469bd8609@radel.com> <5F08D889.8080708@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a cryptographically signed message in MIME format. --------------ms010305080500050401060604 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Content-Language: en-US On 7/10/20 17:07, Ernie Luzar wrote: > Jon Radel wrote: >> On 7/10/20 13:22, Ernie Luzar wrote: > snip >>> >> Notable largely for the complete lack of a default route. >> >> Consider setting your gateway explicitly instead of depending on route= r >> advertisements: >> >> ipv6_defaultrouter=3D"2600:3c02::dead:dead:dead:beef" > > Put this ipv6_defaultrouter=3D=C2=A0 in rc.conf? Yes.=C2=A0 The address fe80::1 should work, as you report that below as t= he link local address of the equipment identifying itself as a local router.= >> >> or whatever that address is.=C3=82=C2=A0 Otherwise you'll need to figu= re out >> what's >> broken with router advertisements on your network.=C3=82=C2=A0 My quic= k read of >> your ipf.rules file leads me to believe that you're allowing icmp6 >> router advertisements in > > Let me put into my own words what I think your are saying. > 1. That the standard inbound icmpv6 routeradvert is suppose to auto > populate the host internal ipv6 default router ipv6 address. Yes.=C2=A0 Mostly.=C2=A0=C2=A0 By default.=C2=A0=C2=A0 There are, ways to= turn things off.=C2=A0 https://blogs.infoblox.com/ipv6-coe/why-you-must-use-icmpv6-router-advert= isements-ras/ is a fairly nice description. > > 2. That the inbound icmpv6 routeradvert my host is receiving from my > ISP is incomplete or being incorrectly populated by my ISP. Maybe.=C2=A0 Now I that I look over your config again, it appears that yo= u're getting your ipv6 address just fine via Routing Advertisement (RA).... so why aren't you getting a default gateway address?=C2=A0 I haven't a cl= ue. [But see below for a correction to this.] But I will note that unless you connect to your ISP with only a L2 bridge and have no L3 router of any type, the RA would be generated on a local router. > > 3. There are also icmp6 neighborsolicit in bound packets that are not > being passed by the same rule that passes the inbound icmpv6 > routeradvert packets but get blocked by the default block all rule. I > am thinking this is a un-reported bug in ipfilter. It does sound odd. >> >>> # pass in ipv6 pings. no ipv6 with keep state option allowed >>> pass in log quick proto icmp6 all=20 >> Are you logging advertisements based on that?=C3=82=C2=A0 If you don't= see them, >> you probably need to figure out what's up with your gateway device. > > Yes I see router advertisements logged in the ipf.log file. > > =C2=A0fe80::1 -> ff02::1 PR icmpv6 len 40 104 icmpv6 routeradvert/0 IN > multicast > > Get this log line 2222 times per minute Interesting.=C2=A0 That's orders of magnitude higher frequency than I'd expect per RFC 4861, unless you have a vast network with many nodes soliciting RAs.=C2=A0 I'd actually have to sniff networks around here bef= ore I could say more--I've honestly never worried about the frequency of RAs.= > > I also see the blocked inbound icmpv6 neighborsolicit packets that get > logged by the default block all rule for inbound traffic. > >> >> As a quick check, you can also override the routing table with the -g >> option to ping6. > > The ipv6 address auto assigned to the vtnet0 is what is considered as > the default route. Am I understanding this correctly? ??=C2=A0 I don't think so.=C2=A0 If you want to talk to the Internet from= your machine via vtnet0, vtnet0 has an address and on the same network there is a router with a different address in the same network.=C2=A0 The route= r's address would be configured as the default gateway on your machine.=C2=A0= In the case of ipv6, there are frequently multiple sets of addresses on the same physical/virtual network.=C2=A0 In your case 2600:3c02::f03c:92ff:febc:1 and 2600:3c02::f03c:92ff:febc:5437 are both addresses on your machine and there *may* be an address also in 2600:3c02::/64=C2=A0 on your router that would work as the gateway. fe80::f03c:92ff:febc:5437%vtnet0 is the link local address (completely non-routable) on your machine associated with vtnet0, which should be able to use fe80::1, which you know exists as that's what your router is using as a source address. See https://blogs.infoblox.com/ipv6-coe/fe80-1-is-a-perfectly-valid-ipv6-defa= ult-gateway-address/ about the background regarding using fe80::1 as a default route. ---------a bit more rummaging in your configs and actually thinking a bit------------- Oh....... =C2=A0 DOH! So all the above is true except for my not having a clue as to why the gateway portion of incoming RAs is ignored.=C2=A0 You might find some of = it useful anyway. > ifconfig_vtnet0_ipv6=3D"inet6 accept_rtadv" > gateway_enable=3D"YES" > ipv6_gateway_enable=3D"YES"=20 The last line sets your FreeBSD machine up as a router.=C2=A0 If a device= is a router, it completely ignores, by design, routing information from incoming RAs. So I think your two primary choices are to, if you don't need the FreeBSD machine to route ipv6, remove the ipv6_gateway_enable=3D"YES" and if you do want the machine to route, explicitly set a default gateway= ipv6_defaultrouter=3D"fe80::1" Either should give you a usable routing table. --=20 --Jon Radel jon@radel.com --------------ms010305080500050401060604 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC C9owggXmMIIDzqADAgECAhBqm+E4O/8ra58B1dm4p1JWMA0GCSqGSIb3DQEBDAUAMIGFMQsw CQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxm b3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDErMCkGA1UEAxMiQ09NT0RPIFJTQSBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xMzAxMTAwMDAwMDBaFw0yODAxMDkyMzU5NTla MIGXMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQH EwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDE9MDsGA1UEAxM0Q09NT0RP IFJTQSBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBAL6znlesKHZ1QBbHOAOY08YYdiFQ8yV5C0y1oNF9 Olg+nKcxLqf2NHbZhGra0D00SOTq9bus3/mxgUsg/Wh/eXQ0pnp8tZ8XZWAnlyKMpjL+qUBy RjXCA6RQyDMqVaVUkbIr5SU0RDX/kSsKwer3H1pT/HUrBN0X8sKtPTdGX8XAWt/VdMLBrZBl gvnkCos+KQWWCo63OTTqRvaq8aWccm+KOMjTcE6s2mj6RkalweyDI7X+7U5lNo6jzC8RTXtV V4/Vwdax720YpMPJQaDaElmOupyTf1Qib+cpukNJnQmwygjD8m046DQkLnpXNCAGjuJy1F5N ATksUsbfJAr7FLUCAwEAAaOCATwwggE4MB8GA1UdIwQYMBaAFLuvfgI9+qbxPISOre44mOzZ MjLUMB0GA1UdDgQWBBSCr2yM+MX+lmF86B89K3FIXsSLwDAOBgNVHQ8BAf8EBAMCAYYwEgYD VR0TAQH/BAgwBgEB/wIBADARBgNVHSAECjAIMAYGBFUdIAAwTAYDVR0fBEUwQzBBoD+gPYY7 aHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RPUlNBQ2VydGlmaWNhdGlvbkF1dGhvcml0 eS5jcmwwcQYIKwYBBQUHAQEEZTBjMDsGCCsGAQUFBzAChi9odHRwOi8vY3J0LmNvbW9kb2Nh LmNvbS9DT01PRE9SU0FBZGRUcnVzdENBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3Au Y29tb2RvY2EuY29tMA0GCSqGSIb3DQEBDAUAA4ICAQB4XLKBKDRPPO5fVs6fl1bsj6JrF/bz 9kkIBtTYLzXN30D+03Hj6OxCDBEaIeNmsBhrJmuubvyE7HtoSmR809AgcYboW+rcTNZ/8u/H v+GTrNI/AhqX2/kiQNxmgUPt/eJPs92Qclj0HnVyy9TnSvGkSDU7I5Px+TbO+88G4zipA2ps ZaWeEykgzClZlPz1FjTCkk77ZXp5cQYYexE6zeeN4/0OqqoAloFrjAF4o50YJafX8mnahjp3 I2Y2mkjhk0xQfhNqbzlLWPoT3m7j7U26u7zg6swjOq8hITYc3/np5tM5aVyu6t99p17bTbY7 +1RTWBviN9YJzK8HxzObXYWBf/L+VGOYNsQDTxAk0Hbvb1j6KjUhg7fO294F29QIhhmiNOr8 4JHoy+fNLpfvYc/Q9EtFOI5ISYgOxLk3nD/whbUe9rmEQXLp8MB933Ij474gwwCPUpwv9mj2 PMnXoc7mbrS22XUSeTwxCTP9bcmUdp4jmIoWfhQm7X9w/Zgddg+JZ/YnIHOwsGsaTUgj7fIv xqith7DoJC91WJ8Lce3CVJqb1XWeKIJ84F7YLXZN0oa7TktYgDdmQVxYkZo1c5noaDKH9Oq9 cbm/vOYRUM1cWcef20Wkyk5S/GFyyPJwG0fR1nRas3DqAf4cXxMiEKcff7PNa4M3RGTqH0pW R8p6EjCCBewwggTUoAMCAQICEHQDryTAYaEsgncP8aGW6o4wDQYJKoZIhvcNAQELBQAwgZcx CzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1Nh bGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMT0wOwYDVQQDEzRDT01PRE8gUlNB IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTE4MDMwNDAw MDAwMFoXDTIxMDMwMzIzNTk1OVowgfoxCzAJBgNVBAYTAlVTMQ4wDAYDVQQREwUyMjE1MDEL MAkGA1UECBMCVkExFDASBgNVBAcTC1NwcmluZ2ZpZWxkMRowGAYDVQQJExE2OTE3IFJpZGdl d2F5IERyLjEVMBMGA1UEChMMSm9uIFQuIFJhZGVsMTIwMAYDVQQLEylJc3N1ZWQgdGhyb3Vn aCBKb24gVC4gUmFkZWwgRS1QS0kgTWFuYWdlcjEfMB0GA1UECxMWQ29ycG9yYXRlIFNlY3Vy ZSBFbWFpbDESMBAGA1UEAxMJSm9uIFJhZGVsMRwwGgYJKoZIhvcNAQkBFg1qb25AcmFkZWwu Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtK/dFQxMTnVPcP1TI09m30v8 rSG/VWSFWfFvu/2jzPkNL+ivx6A4LNUbqw4CS73GIKcbp8IrpNQz2oQV6mTv+KVJzJMf8GjA y8EzZjhc2tAXL+Q57omCTuAc6cw2KDYFL0aNWX4CEe/LqfoBDKpJF7HCrwwus55+tTEkAY8j tRkQRMHf47YQVJjD/4pdC/h+7jjI0oSgh1npT7Q3K47g6IkVzjhiH8LCsCSVYaLzRZfgcl3s 0GLE858PV/84l5d/hUVD0u9J2EdKpf+hnFqZnA3qw9R0xFQIE6yOkUvhALw1zxXaiGj0047a gBE2Bhv2UIlj6Q0zPa5kRYDy9vBI6QIDAQABo4IBzTCCAckwHwYDVR0jBBgwFoAUgq9sjPjF /pZhfOgfPStxSF7Ei8AwHQYDVR0OBBYEFHS/Ewun4pYC9Lla5kkmj4zo7tKcMA4GA1UdDwEB /wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjBG BgNVHSAEPzA9MDsGDCsGAQQBsjEBAgEDBTArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3Vy ZS5jb21vZG8ubmV0L0NQUzBaBgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3JsLmNvbW9kb2Nh LmNvbS9DT01PRE9SU0FDbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWlsQ0EuY3Js MIGLBggrBgEFBQcBAQR/MH0wVQYIKwYBBQUHMAKGSWh0dHA6Ly9jcnQuY29tb2RvY2EuY29t L0NPTU9ET1JTQUNsaWVudEF1dGhlbnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcnQwJAYI KwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAYBgNVHREEETAPgQ1qb25AcmFk ZWwuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBUNLBptNFZRBkOUPOCI9TPM6QauLK6jojtbxZO XWvZfKvq8ukWUZTPtaDS5UjsMhlxLf/Crv8HkiVXSzC36cVQyjNjl1u+u/Sbl/6q/TfQk+aK 5jzDd4onQVzlfE33ymtZJgh+4dMPWKuXjRS0OyMLzv3mYCvFO83l1G9rBiaCEfFJHKgVGY1z 3ZU/gsPCQ2a0xf3908lwl5H3SPB3ZzLWDf41o5zV70HXfsgP862KzxU9t46XBGZ8TRl/5fl+ Xj2KQdpyWlNZUS00/UHznxeFO5+bkNaOg24BjwfBOWi0D47CE+6BRWvtrmgciWxefUuYeeIy Qr58KK8DlBCkVF06MYIENTCCBDECAQEwgawwgZcxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJH cmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBD QSBMaW1pdGVkMT0wOwYDVQQDEzRDT01PRE8gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBh bmQgU2VjdXJlIEVtYWlsIENBAhB0A68kwGGhLIJ3D/GhluqOMA0GCWCGSAFlAwQCAQUAoIIC WTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMDA3MTAyMjU3 MzVaMC8GCSqGSIb3DQEJBDEiBCB2CXPz0njEEvT6HZc2yx45/aRA/zxvJJxRGd+JKa5qMjBs BgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcw DgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEo MIG9BgkrBgEEAYI3EAQxga8wgawwgZcxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVy IE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1p dGVkMT0wOwYDVQQDEzRDT01PRE8gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2Vj dXJlIEVtYWlsIENBAhB0A68kwGGhLIJ3D/GhluqOMIG/BgsqhkiG9w0BCRACCzGBr6CBrDCB lzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMH U2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxPTA7BgNVBAMTNENPTU9ETyBS U0EgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0ECEHQDryTAYaEs gncP8aGW6o4wDQYJKoZIhvcNAQEBBQAEggEAHLCNJowm0V1bld5+Pxj72yf+kA5z1dbJNZLC RwWsMJEq25E2+99OYdnAtOeO+qAkjndU3XrT8iGFQqhegT2YCO8z4eWM00QjAr0zxmIplAqr XimLHCU9A/loU99+dPyNMDOhNXwuwZt7Pu9uNFMua0iqy3bmjNB5pAwclvbP+FXKrUuzMSZ6 igM5nIg+WVgrqYeP/W2nfno2aobvCrDfr4jDDhisy2G95W2NUTvIT0QE708k7IcL0hoAa/Id cxTKp8zBx0jWteu05q0BzMCJIn08yej0kh0+T7ZqtbmLaZ97Zow/SnY8gS2m8h4KOg4QXoX8 MMZu/ODn1R2WDT/BYQAAAAAAAA== --------------ms010305080500050401060604--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b80af7d7-e7fc-b6aa-2df1-b2969f9cbf65>