FreeBSD is not answering neighbour solicitation

Hi

This problem originated from my pfSense installation, but I just confirmed that I'm having the same problem with a clean installation of FreeBSD 12.2, so I thought I would ask here.

The problem is that FreeBSD does not answer NS send from my ISP's router, which results in no communication between the two.

I have attached a package capture that shows this problem. (Had to package it as a zip as pcap was not allowed)

As you can see from this FreeBSD (00:0c:29:a4:ab:43) sends out a Router Solicitation, the ISP routers then sends a NS, which FreeBSD never replies to and this causes IPv6 to not work.

I am not completely sure, but I have a feeling that it may somehow be related to the fact that the ISP routers uses a global IP as source (2a00:7660::248/249), instead of a link-local, as experimentation have shown that FreeBSD have no problem responding when the request comes from a link-local address.

I hope that someone knows the answer to this one, as it's starting to drive me kind of mad ;-)
 

Attachments

  • NS-no-response.pcapng.zip
    1 KB · Views: 88

SirDice

Administrator
Staff member
Administrator
Moderator
I can tell you IPv6 works just fine on 12.2-RELEASE, never was a problem. My servers have been diligently upgraded over the years. Never had a problem on 9.x, 10.x, 11.x, 12.x and now running everything on 12.2. I have a mixed bag of SLAAC, DHCPv6 and static address configurations. It's been working so well I generally just forget it's there. The only thing that sometimes has problems is the HE tunnelbroker I have to use.

Netflix and a few other streaming services sometimes complain I'm using an "illegal" proxy to circumvent their region locks. Which I'm not, but the IPv6 tunnel endpoint sometimes changes "location" according to the proxy filtering service they use.
 
I can tell you IPv6 works just fine on 12.2-RELEASE, never was a problem. My servers have been diligently upgraded over the years. Never had a problem on 9.x, 10.x, 11.x, 12.x and now running everything on 12.2. I have a mixed bag of SLAAC, DHCPv6 and static address configurations. It's been working so well I generally just forget it's there. The only thing that sometimes has problems is the HE tunnelbroker I have to use.

Netflix and a few other streaming services sometimes complain I'm using an "illegal" proxy to circumvent their region locks. Which I'm not, but the IPv6 tunnel endpoint sometimes changes "location" according to the proxy filtering service they use.
Thanks, I think that using a tunnel is a bit of a different thing than what I'm doing here?

I'm pretty sure I have the problem narrowed down to being caused by NS where the src is set to a global IPv6 address, instead of a local-link address.

See the attached files.

It would be great if anyone would be up to sending these to their own FreeBSD setup (You would of course have to change the dst and target address), to verify if this is a bug or not.
 

Attachments

  • pcaps.zip
    1.2 KB · Views: 78

SirDice

Administrator
Staff member
Administrator
Moderator
It would be great if anyone would be up to sending these to their own FreeBSD setup (You would of course have to change the dst and target address), to verify if this is a bug or not.

Code:
09:07:16.446240 IP6 fe80::201:2eff:fe41:a3e8 > fe80::92e2:baff:fe54:ff22: ICMP6, neighbor solicitation, who has fe80::92e2:baff:fe54:ff22, length 32
09:07:16.446450 IP6 fe80::92e2:baff:fe54:ff22 > fe80::201:2eff:fe41:a3e8: ICMP6, neighbor advertisement, tgt is fe80::92e2:baff:fe54:ff22, length 24
09:07:17.057804 IP6 2001:470:1f15:bcd::1ab > 2a00:1450:401b:800::2004: ICMP6, echo request, seq 5, length 16
09:07:17.091888 IP6 2a00:1450:401b:800::2004 > 2001:470:1f15:bcd::1ab: ICMP6, echo reply, seq 5, length 16
09:07:17.193337 IP6 2001:470:1f15:bcd::1ab > 2001:470:1f15:bcd::1: ICMP6, neighbor solicitation, who has 2001:470:1f15:bcd::1, length 32
09:07:17.193534 IP6 2001:470:1f15:bcd::1 > 2001:470:1f15:bcd::1ab: ICMP6, neighbor advertisement, tgt is 2001:470:1f15:bcd::1, length 24
09:07:17.720832 IP6 2001:470:1f15:bcd::1 > 2001:470:1f15:bcd::1ab: ICMP6, neighbor solicitation, who has 2001:470:1f15:bcd::1ab, length 32
09:07:17.720887 IP6 2001:470:1f15:bcd::1ab > 2001:470:1f15:bcd::1: ICMP6, neighbor advertisement, tgt is 2001:470:1f15:bcd::1ab, length 24
Pinging (on IPv6) www.google.com. That ::1 address is my gateway. All machines involved here are running 12.2.
 
As shown in the attached package, it should be:

src: global IP
dst: local-link

Looking at your examples it's either:

src: local-link
dst: local-link

or

src: global IP
dst: global IP
 
As shown in the attached package, it should be:

src: global IP
dst: local-link

Looking at your examples it's either:

src: local-link
dst: local-link

or

src: global IP
dst: global IP
SirDice: do you know if it's by design that FreeBSD will not reply to packages sent from a global address to a link local address? The problem is that this is the behavior that my ISP's routers are exhibiting, which prevents me from obtaining an IPv6 lease.

I have tested the same thing in Debian, which will happily reply to the packages, I also have not been able to find any documentation showing that it should not be possible.
 
Top