From nobody Mon Jan 8 00:33:53 2024 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4T7Zn014xFz56Q7v for ; Mon, 8 Jan 2024 00:33:56 +0000 (UTC) (envelope-from felix.reichenberger@tuta.io) Received: from w4.tutanota.de (w4.tutanota.de [81.3.6.165]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mail.tutanota.de", Issuer "Sectigo RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4T7Zmz64m6z4fyv for ; Mon, 8 Jan 2024 00:33:55 +0000 (UTC) (envelope-from felix.reichenberger@tuta.io) Authentication-Results: mx1.freebsd.org; none Received: from tutadb.w10.tutanota.de (unknown [192.168.1.10]) by w4.tutanota.de (Postfix) with ESMTP id EAB731060122; Mon, 8 Jan 2024 00:33:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1704674033; s=s1; d=tuta.io; h=From:From:To:To:Subject:Subject:Content-Description:Content-ID:Content-Type:Content-Type:Content-Transfer-Encoding:Content-Transfer-Encoding:Cc:Cc:Date:Date:In-Reply-To:In-Reply-To:MIME-Version:MIME-Version:Message-ID:Message-ID:Reply-To:References:References:Sender; bh=9kde4nXyHVDp54DQBJ/Tq2LjmtT9EuzqihUGGBrE1Lo=; b=QeSV7NM1ZPkc1cW93U+ujO0Ge6VKCgR0eAzEWw7aZrfe3oSckNxbdX3wPEXwS5KX DdQhEk3fpehsE2y6tx3DYxXv8KTwBi/jBcMOMQz3S3u7j2IQZuDuQIuS3UU7Xo3ZvN0 db10JSEnA+Kvtr6SyCm5xP80c1N5ShRLcXQT9CoDzlBpm9oWCbLK2/jn2GDEeNxr2Yu gTvWaI71bCwLrrJOnQ/rs6wDAl54AJqBOqZw/CQFW5hj3v23D2CJrRWC1fMLEd6IqgK XEwrzSTKo1LOg5/loYvtrw2bh9xH5IjddGcNlUk5be1BvAAbXvqQxKQ9zfMauJvEk28 1VVHZWgIKg== Date: Mon, 8 Jan 2024 01:33:53 +0100 (CET) From: Felix Reichenberger To: FreeBSD User Cc: FreeBSD CURRENT Message-ID: In-Reply-To: <20240107185133.68824d89@thor.intern.walstatt.dynvpn.de> References: <20240107185133.68824d89@thor.intern.walstatt.dynvpn.de> Subject: Re: IPFW/IPv6 problem with JAIL: JAIL cannot ping -6 host until host first pings jail (ipv6) List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4T7Zmz64m6z4fyv X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:24679, ipnet:81.3.0.0/18, country:DE] > Hello, > > I've got a problem with recent CURRENT, running vnet JAILs. > FreeBSD 15.0-CURRENT #28 main-n267432-e5b33e6eef7: Sun Jan 7 13:18:15 CET 2024 amd64 > > Main Host has IPFW configured and is open for services like OpenLDAP on UDP/TCP and ICMP > (ipfw is configured via rc.conf in this case, host is listening on both protocol families > IPv4 and IPv6). > > The host itself has openldap-server 2.6 as a service. The host's interface is igb0 with > assigned ULA. JAILs (around eight jails) are sharing their vnet interfaces via a bridge with > the same physical device as the host (igb0). After a while (the time elapsed is unspecific) > the jail is unable to contact the host via IPv6: neither UDP, TCP nor ICMP sent from the JAIL > is reaching the host. IPv4 is working like a charme! No problems there. > > When pinging the Jail from the main host via ping -6, the jail is responding! After the first > ping -6, the jail now is able to ping -6 the main host. > > After a fresh reboot, the problem is not present and occurs after a while and it seems to > happen first to very active jails. > > Kind regards, > > oh > > > -- > O. Hartmann > Hello, This behavior might be caused by IPFW blocking some IPv6 neighbor discovery/advertisement messages. After some time, the link layer addresses of the IPv6 neighbors in the NDP cache may expire, making the associated IPv6 addresses inaccessible. Do your IPFW rules allow ICMPv6 messages to and from IPv6 multicast addresses? Regards.