FreeBSD 8.2 + ipv6

[folivora]

Hi,

I have been trying to get ipv6 with static address working for sometime. I have checked things with my ISP, and there are no problems on their side with the configuration. It seems that there is something wrong with the configuration which I have, I have followed instructions in 32.12.5.1 IPv6 Client Settings in FreeBSD Handbook.

So here is my configurations:

/etc/rc.conf

ipv6_enable="YES"
ipv6_network_interface="re0"
ipv6_ifconfig_re0="2001:1bc8:102:1234::4"
ipv6_defaultrouter="2001:1bc8:102:1234::1"

/etc/pf.conf

icmp6_types_out = "{ echoreq, unreach, neighbrsol, routersol }"
icmp6_types_in = "{ echoreq, unreach, neighbrsol, neighbradv, routeradv }"
 
pass out on $ext_if inet6 proto { tcp, udp } keep state
pass out on $int_if inet6 proto { tcp, udp } keep state
 
pass out on $ext_if inet6 proto icmp6 all icmp6-type $icmp6_types_out
pass in on $ext_if inet6 proto icmp6 all icmp6-type $icmp6_types_in

[CMD=]netstat -rn -f inet6[/CMD]

Routing tables

Internet6:
Destination                       Gateway                       Flags      Netif Expire
::/96                             ::1                           UGRS        lo0 =>
default                           2001:1bc8:102:1234::1         UGS         re0
::1                               ::1                           UH          lo0
::ffff:0.0.0.0/96                 ::1                           UGRS        lo0
2001:1bc8:102:1234::/64           link#2                        U           re0
2001:1bc8:102:1234::4             link#2                        UHS         lo0
fe80::/10                         ::1                           UGRS        lo0
fe80::%lo0/64                     link#4                        U           lo0
fe80::1%lo0                       link#4                        UHS         lo0
ff01:2::/32                       2001:1bc8:102:1234::4         U           re0
ff01:4::/32                       fe80::1%lo0                   U           lo0
ff02::/16                         ::1                           UGRS        lo0
ff02::%re0/32                     2001:1bc8:102:1234::4         U           re0
ff02::%lo0/32                     fe80::1%lo0                   U           lo0

Am I missing some configurations? I can resolv, ping different hosts, but I am facing packet loss. Is there something special with pf, since it seems that I cant see neighbors in my neighbor table with ndp

Best Rergards

Folivora

 

[SirDice]

I can resolv, ping different hosts, but I am facing packet loss.

Where does the packetloss ocur?

Install net/mtr-nox11, it can also handle IPv6.

 

[folivora]

It doesn't matter which host it is.

[CMD=]mtr -6 ipv6.google.com[/CMD]

                                         Packets               Pings
 Host                                    Loss%   Snt   Last   Avg  Best  Wrst StDev
 1. 2001:1bc8:102:1234::1                66.4%   144   17.3 454.8  16.9 8799. 1756.
 2. 2001:1bc8:1:7:0:e:0:4                79.7%   144   16.8 185.8  16.7 4870. 901.0
 3. hls-b2-link.telia.net                63.6%   144   16.8 413.5  16.6 8615. 1646.
 4. s-b3-v6.telia.net                    62.9%   144   24.3 411.9  23.7 8524. 1607.
 5. google-ic-130575-s-b3.c.telia.net    63.6%   144   23.9 420.3  23.2 8433. 1649.
 6. 2001:4860::1:0:26ec                  64.3%   144   24.5 345.7  24.1 8342. 1537.
 7. 2001:4860::1:0:60d                   65.0%   144   69.9 197.6  50.1 7297. 1024.
 8. 2001:4860::8:0:3097                  63.8%   139   59.3 195.5  49.9 7206. 1011.
 9. 2001:4860::1:0:336d                  63.8%   139   52.2 201.7  51.5 7115. 997.9
10. 2001:4860:0:1::537                   62.8%   138   52.0 198.2  51.6 7446. 1035.
11. muc03s02-in-x14.1e100.net            63.5%   138   52.0 198.4  51.2 7355. 1032.

I believe that it is something with the configurations?

There are no neighbors in my neighbor table, can pf block that?

Best Regards

Folivora

 

[SirDice]

It looks like the packetloss already happens on your own network. Try turning off PF and see if that improves anything.

 

[folivora]

Yes,

When I turn pf off everything works fine. Is there some other special rules, which should be allowed for ipv6 in pf.conf beside of those which I pasted earlier in this post ?

 

[SirDice]

I think it's something with your ICMP6 types. I'm filtering IPv6 with PF too but I never bothered to limit ICMP. I don't have any packetdrops and everthing seems to work.

 

[folivora]

It is doing the same even if I have these rules in my pf.conf

# ICMPv6
pass in on $ext_if inet6 proto icmp6 all
pass out on $ext_if inet6 proto icmp6 all

Any other ideas?

 

[SirDice]

Do you also get packetloss with IPv4? It might be something simple as a bad cable :e

 

[folivora]

Heh,

ipv4 works perfectly, no packet loss ect.. That one is checked. This problems is just with ipv6.

 

[folivora]

What kind of rules you have for ipv6 icmp in your pf.conf ?

 

[SirDice]

Nothing much, just this one:

block in log on $ext_if inet6 proto icmp6 all label "BlockIn_ExtIF_ICMP_v6"

 

[folivora]

But you don't have any specific rules for allowing icmp6 in/out?

 

[SirDice]

Nope, that's it. The other rules that might include IPv6 traffic are:

pass in quick on $int_if from $internal_net to any keep state
pass out quick on $ext_if from any to any keep state

Besides that I only accept a few things on IPv6:

pass in log on $ext_if inet6 proto tcp from any to $remote port 22 keep state

And I have a generic block rule for TCP connections on IPv6:

block return-rst in log on $ext_if inet6 proto tcp all label "BlockIn_ExtIF_TCP_v6"

 

[folivora]

Heh, I did reboot first time after I enable ipv6 in rc.conf, after the reboot everything works. I wonder why it didn't work after [CMD=]/etc/rc.d/network_ipv6 start[/CMD] command.

So the problem is solved, but still I am wondering what happened on reboot.

"never underestimate the power of reboot" :e