Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 10 Jul 2020 18:57:35 -0400
From:      Jon Radel <jon@radel.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: trouble setting up ipv6
Message-ID:  <b80af7d7-e7fc-b6aa-2df1-b2969f9cbf65@radel.com>
In-Reply-To: <5F08D889.8080708@gmail.com>
References:  <5F088CAE.2090400@gmail.com> <a8339776-478e-2274-428e-5f451c06f0dc@radel.com> <5F08A3BA.8060401@gmail.com> <f63ed225-5b6a-765e-aee3-259469bd8609@radel.com> <5F08D889.8080708@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
On 7/10/20 17:07, Ernie Luzar wrote:
> Jon Radel wrote:
>> On 7/10/20 13:22, Ernie Luzar wrote:
> snip
>>>
>> Notable largely for the complete lack of a default route.
>>
>> Consider setting your gateway explicitly instead of depending on router
>> advertisements:
>>
>> ipv6_defaultrouter="2600:3c02::dead:dead:dead:beef"
>
> Put this ipv6_defaultrouter=  in rc.conf?


Yes.  The address fe80::1 should work, as you report that below as the
link local address of the equipment identifying itself as a local router.


>>
>> or whatever that address is.  Otherwise you'll need to figure out
>> what's
>> broken with router advertisements on your network.  My quick read of
>> your ipf.rules file leads me to believe that you're allowing icmp6
>> router advertisements in
>
> Let me put into my own words what I think your are saying.
> 1. That the standard inbound icmpv6 routeradvert is suppose to auto
> populate the host internal ipv6 default router ipv6 address.
Yes.  Mostly.   By default.   There are, ways to turn things off. 
https://blogs.infoblox.com/ipv6-coe/why-you-must-use-icmpv6-router-advertisements-ras/
is a fairly nice description.
>
> 2. That the inbound icmpv6 routeradvert my host is receiving from my
> ISP is incomplete or being incorrectly populated by my ISP.

Maybe.  Now I that I look over your config again, it appears that you're
getting your ipv6 address just fine via Routing Advertisement (RA)....
so why aren't you getting a default gateway address?  I haven't a clue.
[But see below for a correction to this.]

But I will note that unless you connect to your ISP with only a L2
bridge and have no L3 router of any type, the RA would be generated on a
local router.

>
> 3. There are also icmp6 neighborsolicit in bound packets that are not
> being passed by the same rule that passes the inbound icmpv6
> routeradvert packets but get blocked by the default block all rule. I
> am thinking this is a un-reported bug in ipfilter.
It does sound odd.
>>
>>> # pass in ipv6 pings. no ipv6 with keep state option allowed
>>> pass in log quick proto icmp6 all 
>> Are you logging advertisements based on that?  If you don't see them,
>> you probably need to figure out what's up with your gateway device.
>
> Yes I see router advertisements logged in the ipf.log file.
>
>  fe80::1 -> ff02::1 PR icmpv6 len 40 104 icmpv6 routeradvert/0 IN
> multicast
>
> Get this log line 2222 times per minute
Interesting.  That's orders of magnitude higher frequency than I'd
expect per RFC 4861, unless you have a vast network with many nodes
soliciting RAs.  I'd actually have to sniff networks around here before
I could say more--I've honestly never worried about the frequency of RAs.
>
> I also see the blocked inbound icmpv6 neighborsolicit packets that get
> logged by the default block all rule for inbound traffic.
>
>>
>> As a quick check, you can also override the routing table with the -g
>> option to ping6.
>
> The ipv6 address auto assigned to the vtnet0 is what is considered as
> the default route. Am I understanding this correctly?

??  I don't think so.  If you want to talk to the Internet from your
machine via vtnet0, vtnet0 has an address and on the same network there
is a router with a different address in the same network.  The router's
address would be configured as the default gateway on your machine.  In
the case of ipv6, there are frequently multiple sets of addresses on the
same physical/virtual network.  In your case

2600:3c02::f03c:92ff:febc:1 and 2600:3c02::f03c:92ff:febc:5437 are both
addresses on your machine and there *may* be an address also in
2600:3c02::/64  on your router that would work as the gateway.

fe80::f03c:92ff:febc:5437%vtnet0 is the link local address (completely
non-routable) on your machine associated with vtnet0, which should be
able to use fe80::1, which you know exists as that's what your router is
using as a source address.

See
https://blogs.infoblox.com/ipv6-coe/fe80-1-is-a-perfectly-valid-ipv6-default-gateway-address/
about the background regarding using fe80::1 as a default route.

---------a bit more rummaging in your configs and actually thinking a
bit-------------

Oh.......   DOH!

So all the above is true except for my not having a clue as to why the
gateway portion of incoming RAs is ignored.  You might find some of it
useful anyway.

> ifconfig_vtnet0_ipv6="inet6 accept_rtadv"
> gateway_enable="YES"
> ipv6_gateway_enable="YES" 
The last line sets your FreeBSD machine up as a router.  If a device is
a router, it completely ignores, by design, routing information from
incoming RAs.

So I think your two primary choices are to, if you don't need the
FreeBSD machine to route ipv6, remove the

ipv6_gateway_enable="YES"

and if you do want the machine to route, explicitly set a default gateway

ipv6_defaultrouter="fe80::1"

Either should give you a usable routing table.



-- 
--Jon Radel
jon@radel.com



[-- Attachment #2 --]
0	*H
010
	`He0	*H
00Πj8;+kٸRV0
	*H
010	UGB10UGreater Manchester10USalford10U
COMODO CA Limited1+0)U"COMODO RSA Certification Authority0
130110000000Z
280109235959Z010	UGB10UGreater Manchester10USalford10U
COMODO CA Limited1=0;U4COMODO RSA Client Authentication and Secure Email CA0"0
	*H
0
W(vu@8v!P%yL}:X>1.4vلj=4HK hyt4z|e`'"2@rF5P3*UT+%4D5+
ZSu+­=7F_Zte
>)
94Fro8pNhFF#Ne6/M{UWֱmAYT"o)CI	m84$.zW4 r^M9,R$
<080U#0~=<8220Ula|=+qH^ċ0U0U00U 
00U 0LUE0C0A?=;http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q+e0c0;+0/http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$+0http://ocsp.comodoca.com0
	*H
x\(4O<_VΟV쏢kI/5@qB!fk&kn{hJd| q[Lǿᓬ?"@fCOݐrXurJH5;#68jle) )Y4’Nezyq{:kx%iچ:w#f6HLP~jo9KXnM#:!!69i\}^M;TSX7	̯3]Tc6O$voX*5!4.aKE8HIĹ7?Ar}r# R/h<סnuy<1	3mɔv#~&pvg' skMH#/ƨ$/uXqTu(|^-vM҆NKX7fA\X5sh2qP\YǟENRarpGtZp_"k7DdJVGz00Ԡt$a,w0
	*H
010	UGB10UGreater Manchester10USalford10U
COMODO CA Limited1=0;U4COMODO RSA Client Authentication and Secure Email CA0
180304000000Z
210303235959Z010	UUS10U2215010	UVA10USpringfield10U	6917 Ridgeway Dr.10U
Jon T. Radel1200U)Issued through Jon T. Radel E-PKI Manager10UCorporate Secure Email10U	Jon Radel10	*H
	
jon@radel.com0"0
	*H
0
LNuOpS#OfK!UdYo
/Ǡ8,K +3ڄdI̓h3f8\/9N6(6/FY~˩I¯.~1$#DT]~8҄YO7+8b°$aEr]bW8ECIGJZ
tTK5ڈhӎڀ6Pc
3=dEH00U#0la|=+qH^ċ0UtZI&Ҝ0U0U00U%0++0FU ?0=0;+10+0)+https://secure.comodo.net/CPS0ZUS0Q0OMKIhttp://crl.comodoca.com/COMODORSAClientAuthenticationandSecureEmailCA.crl0+0}0U+0Ihttp://crt.comodoca.com/COMODORSAClientAuthenticationandSecureEmailCA.crt0$+0http://ocsp.comodoca.com0U0
jon@radel.com0
	*H
T4iYDP#3oN]k|QϵH2q-®%WK0P3c[7Г<w'A\|MkY&~X;#`+;ok&Isݕ?CfpHwg2
5A~=f|M~^=ArZSYQ-4A;֎n9hEkhl^}Ky2B|(T]:15010010	UGB10UGreater Manchester10USalford10U
COMODO CA Limited1=0;U4COMODO RSA Client Authentication and Secure Email CAt$a,w0
	`HeY0	*H
	1	*H
0	*H
	1
200710225735Z0/	*H
	1" v	sx69@<o$Q߉)j20l	*H
	1_0]0	`He*0	`He0
*H
0*H
0
*H
@0+0
*H
(0	+710010	UGB10UGreater Manchester10USalford10U
COMODO CA Limited1=0;U4COMODO RSA Client Authentication and Secure Email CAt$a,w0*H
	1010	UGB10UGreater Manchester10USalford10U
COMODO CA Limited1=0;U4COMODO RSA Client Authentication and Secure Email CAt$a,w0
	*H
&&][~?'s5G0*ۑ6Na$wTz!B^=3D#3b)
^)%=hS~t035|.{>n4S.kHvyUʭK1&z9>YX+m~z6j
߯amQ;ODO$ksʧHֵ"}<>Oji{f?Jv<-
:^0n
?a

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b80af7d7-e7fc-b6aa-2df1-b2969f9cbf65>