FreeBSD 12 not answering neighbor solicitation

lory

New Member


Messages: 12

Hi,

I have ipv6 from Hurricane Electric, Mikrotik GW, FreeBSD box on LAN.

FreeBSD have ipv6 static address: 2001:470:1f15:86d::41/64
GW: 2001:470:1f15:86d::1

When trying to ping6 FreeBSD box from internet, Mikrotik sends:
Code:
13:49:20.783868 IP6 fe80::6e3b:6bff:feac:24b2 > ff02::1:ff00:41: ICMP6, neighbor solicitation, who has 2001:470:1f15:86d::41, length 32
13:49:21.783853 IP6 fe80::6e3b:6bff:feac:24b2 > ff02::1:ff00:41: ICMP6, neighbor solicitation, who has 2001:470:1f15:86d::41, length 32
FreeBSD not answer and is not accessible. Linux boxes have no problem, Ubuntu, CentOS, Synology NAS.

This is output from Mikrotik "/ipv6 neighbor print":
Code:
 0   address=2001:470:1f15:86d::5 interface=ether2 
     mac-address=00:11:32:4B:FC:23 status="reachable" 

 1   address=fe80::211:32ff:fe4b:fc23 interface=ether2 
     mac-address=00:11:32:4B:FC:23 status="stale" 
 
 2   address=2001:470:1f15:86d::41 interface=ether2 status="failed"
When I ping6 from FreeBSD box something, then for some time box is reachable until neighbor expired.

Best regards.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,371
Messages: 29,907

Do you have a firewall enabled on FreeBSD? That might be blocking the ICMP6 messages.
 
OP
OP
L

lory

New Member


Messages: 12

If I add ff02::1:ff00:41/104 alias to interface em0 ipv6 works for a while.

ifconfig em0 inet6 ff02::1:ff00:41/104 alias

Then stops and must delete and add again alias.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,371
Messages: 29,907

I also have a IPv6 tunnel from HE and it's been working fine for the past couple of years. But I have the tunnel terminated on my FreeBSD firewall. So I suspect it's something the Mikrotik does (or fails to do).
 

VladiBG

Aspiring Daemon

Reaction score: 237
Messages: 587

i suspect that he's missing fe80:: address on his interface
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,371
Messages: 29,907

That's actually a good one. lory can you post the output of ifconfig(8)? And what are the relevant bits from rc.conf?
 
OP
OP
L

lory

New Member


Messages: 12

Code:
ifconfig

em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=81249b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LRO,WOL_MAGIC,VLAN_HWFILTER>
        ether 44:8a:5b:b5:a1:9b
        inet 10.0.0.41 netmask 0xffffff00 broadcast 10.0.0.255
        inet6 fe80::468a:5bff:feb5:a19b%em0 prefixlen 64 scopeid 0x1
        inet6 2001:470:1f15:86d::41 prefixlen 64
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=8021<PERFORMNUD,AUTO_LINKLOCAL,DEFAULTIF>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
rc.conf
Code:
ipv6_gateway_enable="NO"
ipv6_default_interface="em0"
ifconfig_em0_ipv6="inet6 2001:470:1f15:86d::41 prefixlen 64 auto_linklocal"
ipv6_defaultrouter="2001:470:1f15:86d::1"
sysctl.conf
Code:
net.inet6.ip6.forwarding=1
net.inet6.ip6.auto_linklocal=1
Before Mikrotik, IPV6 was terminated by FreeBSD and I had no problems.
 

VladiBG

Aspiring Daemon

Reaction score: 237
Messages: 587

If this server will no longer act as gateway remove ipv6_gateway_enable in your rc.conf which actually controls sysctl net.inet6.ipv6.forwarding variable so you don't need to explicit enable it in sysctl.conf you can comment out or delete it from sysctl.conf too.
net.inet6.ip6.auto_linklocal sysctl controls the interface auto_linklocal flag and you don't need it either so remove it from your sysctl.conf because on the interfaces which you have ipv6 enabled the linklocal address (fe80:: ) is generated automatically then read here how to setup a static ipv6 on your interface:
31.9.2. Configuring IPv6
https://www.freebsd.org/doc/handbook/network-ipv6.html

The rc.conf variable ipv6_default_interface is not needed as it works only if ipv6_gateway_enable is enabled.

---
rc.conf
---
ipv6_gateway_enable="NO"
ipv6_default_interface="em0"
ifconfig_em0_ipv6="inet6 2001:470:1f15:86d::41 prefixlen 64"
ipv6_defaultrouter="2001:470:1f15:86d::1"

sysctl.conf
net.inet6.ip6.forwarding=1
net.inet6.ip6.auto_linklocal=1

Edit:
also check if default IPv6 gateway is 2001:470:1f15:86d::1 or fe80::01
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,371
Messages: 29,907

When I ping GW, the ipv6 works for a while.
When FreeBSD missing in Mikrotik's /ipv6/neighbor table then ipv6 stop working.
That really points to an issue with the Mikrotik. Why would it go missing?

To be honest I don't trust those Mikrotik devices. When I investigate malware bots trying to break into my servers it often turns out to be a hacked Mikrotik router.

https://www.zdnet.com/article/thousands-of-mikrotik-routers-are-snooping-on-user-traffic/

I'm not saying that's the case with your router, although I do recommend making absolutely sure you have the latest firmware, I simply trust these things about as far as I can throw them.
 
OP
OP
L

lory

New Member


Messages: 12

That really points to an issue with the Mikrotik. Why would it go missing?

To be honest I don't trust those Mikrotik devices. When I investigate malware bots trying to break into my servers it often turns out to be a hacked Mikrotik router.

https://www.zdnet.com/article/thousands-of-mikrotik-routers-are-snooping-on-user-traffic/

I'm not saying that's the case with your router, although I do recommend making absolutely sure you have the latest firmware, I simply trust these things about as far as I can throw them.
I am with latest firmware.
Winbox listen on LAN interface.
 

T-Daemon

Active Member

Reaction score: 84
Messages: 249

From the FreeBSD side you could do some diagnose with ndp(8), eventually control some settings. I can’t say if the tool is of any use in helping to delimiting the problem, but it won’t hurt to take a look.
 
OP
OP
L

lory

New Member


Messages: 12

Finally:

/usr/sbin/daemon -f /sbin/ping6 -i 2 -s 1 2001:470:1f15:86d::1

Not clear, but working :(
 

pos

Member

Reaction score: 10
Messages: 43

Hi

You say it works on Linux... I know one IPv6 difference between Linux and FreeBSD is that FreeBSD *requires* the gateway IP to fit inside the interface network mask, whereas on Linux it is not a requirement. This causes tons of problems if running in the cloud where the hosting operator often has a big IP block for many customers. A standard setup is that a cusomer get a /64 for his host. Bu the gateways he gets is outside the /64 and fits in a bigger /48. In such setup with FreeBSD, the mask has to be changed to /48 for the routing to work. But this of course could give you connection errors to others within this block.

The RFC standard is not that clear. I have recently logged this as a FreeBSD bug at the bugzilla as I, as the cloud operators and the Linux community states it is allowed. Also it causes problems...

But... I have not read your thread in detail. So this is maybe not your problem :)

/Peo

EDIT:
No, you probably have another issue....
 
Top