IPv6 gateway configuration no long working ( destination unreachable)

KernelPanic · Apr 24, 2024

After a recent security update reboot I noticed that my internal clients could not longer use IPv6. I've been using FreeBSD as an IPv6 gateway for a long time using dhcp6c and rtadvd:

Code:

Relevant rc.conf entries:
ipv6_gateway_enable="YES"
ipv6_cpe_wanif="re0"
ipv6_activate_all_interfaces="YES"

# External interface
ifconfig_re0_ipv6="inet6 accept_rtadv"

# Internal interface
ifconfig_em0_ipv6="inet6 -accept_rtadv"

# Enabled services
dhcp6c_enable="YES"
dhcp6c_interfaces="re0"
dhcpd_enable="YES"
dhcpd_ifaces="em0"
rtadvd_enable="YES"
rtadvd_interfaces="em0"

Code:

 cat /usr/local/etc/dhcp6c.conf
interface re0 {
  send rapid-commit;    # Request two step DCHP exchange instead of the usual four step method

  request domain-name-servers;  # Request DNS servers

  send ia-na 1; # Request an Identity Association for Non-temporary Addresses (IA-NA)

  send ia-pd 1; # Request an Identity Association for Prefix Delegation (IA-PD)
};

id-assoc na 1 {
};

id-assoc pd 1 {
  # This is the largest prefix you can request from Comcast (16 subnets)
  # prefix ::/60 infinity;

  prefix-interface em0 {
    sla-id 0;   # Defines the subnet id. For Comcast it could be 0 through f.

    # Defines smallest IPv6 prefix size (/64) minus the prefix size the ISP
    # assigns us. For Comcast it could be up to four (/64 - /60)
    sla-len 0;

    # In WIDE-DHCP this would assign a specific IPv6 address to em1
    # i.e. [prefix][sla][ifid]
    # ifid 1;
  };

};

Code:

 cat /etc/rtadvd.conf
em0:\
    :raflags="mo"

A Windows host inside the network is configured with 2601:681:8300:127f:407b:807:40ab:7652. And when I run ping I get the following response:

Code:

C:\Users\KernelPanic>ping -6 www.google.com

Pinging www.google.com [2607:f8b0:4025:811::2004] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Monitoring from my FreeBSD gateway, I captured the outbound request, the inbound reply and my gateway responding in the following manner:

Code:

08:09:23.018682 IP6 2601:681:8300:127f:407b:807:40ab:7652 > 2607:f8b0:4025:811::2004: ICMP6, echo request, seq 17, length 40
08:09:23.032038 IP6 2607:f8b0:4025:811::2004 > 2601:681:8300:127f:407b:807:40ab:7652: ICMP6, echo reply, seq 17, length 40
08:09:26.071485 IP6 2001:558:6008:1e:d07c:4d9f:d0d2:9393 > 2607:f8b0:4025:811::2004: ICMP6, destination unreachable, unreachable address 2601:681:8300:127f:407b:807:40ab:7652, length 88
...
08:09:32.699523 IP6 2601:681:8300:127f:407b:807:40ab:7652 > 2607:f8b0:4025:811::2004: ICMP6, echo request, seq 19, length 40
08:09:32.707598 IP6 2607:f8b0:4025:811::2004 > 2601:681:8300:127f:407b:807:40ab:7652: ICMP6, echo reply, seq 19, length 40
08:09:35.707224 IP6 2001:558:6008:1e:d07c:4d9f:d0d2:9393 > 2607:f8b0:4025:811::2004: ICMP6, destination unreachable, unreachable address 2601:681:8300:127f:407b:807:40ab:7652, length 88

The IPv6 address of my FreeBSD firewall is 2001:558:6008:1e:d07c:4d9f:d0d2:9393 and it can ping and reach other IPv6 addresses on the Internet without any problems. I am not sure why it is responding in this manner for internal IPv6 addresses.

Code:

 netstat -rn
Routing tables

...

Internet6:
Destination                       Gateway                       Flags     Netif Expire
::/96                             ::1                           URS         lo0
default                           fe80::21c:73ff:fe00:99%re0    UG          re0
::1                               link#3                        UHS         lo0
::ffff:0.0.0.0/96                 ::1                           URS         lo0
2001:558:1018:800f::/64           link#2                        U           re0
2001:558:6008:1e:d07c:4d9f:d0d2:9393 link#2                     UHS         lo0
2601:681:8300:127f::/64           link#1                        U           em0
2601:681:8300:127f:6a05:caff:fe36:662 link#1                    UHS         lo0
fd00:0:d:1::/64                   link#2                        U           re0
fd00:0:101:11::/64                link#2                        U           re0
fe80::/10                         ::1                           URS         lo0
fe80::%em0/64                     link#1                        U           em0
fe80::6a05:caff:fe36:662%em0      link#1                        UHS         lo0
fe80::%re0/64                     link#2                        U           re0
fe80::76d4:35ff:fe02:8c9b%re0     link#2                        UHS         lo0
fe80::%lo0/64                     link#3                        U           lo0
fe80::1%lo0                       link#3                        UHS         lo0
ff02::/16                         ::1                           URS         lo0

KernelPanic · Apr 24, 2024

Internal IPv6 also does not seem to work as the Windows system cannot ping the FreeBSD gateway nor visa-versa. The gateway receives the packet but appears to ignore it:

Code:

tcpdump -ni em0 host  2601:681:8300:127f:407b:807:40ab:7652
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:56:50.892558 IP6 2601:681:8300:127f:407b:807:40ab:7652 > 2001:558:6008:1e:d07c:4d9f:d0d2:9393: ICMP6, echo request, seq 29, length 40
09:56:55.589894 IP6 2601:681:8300:127f:407b:807:40ab:7652 > 2001:558:6008:1e:d07c:4d9f:d0d2:9393: ICMP6, echo request, seq 30, length 40
09:57:00.594511 IP6 2601:681:8300:127f:407b:807:40ab:7652 > 2001:558:6008:1e:d07c:4d9f:d0d2:9393: ICMP6, echo request, seq 31, length 40
09:57:05.594551 IP6 2601:681:8300:127f:407b:807:40ab:7652 > 2001:558:6008:1e:d07c:4d9f:d0d2:9393: ICMP6, echo request, seq 32, length 40

I do have pf enabled but it is open internally:

Code:

 pfctl -s rules | grep em0
pass in quick on em0 all flags S/SA keep state
pass out quick on em0 all flags S/SA keep state

KernelPanic · Apr 24, 2024

I was searching around and found this discussion: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263288

I ran a few ndp commands and internal IPv6 is now working as expected.

I'll test again in about 24 hours.

KernelPanic · Apr 25, 2024

IPv6 for internal hosts is still working. There are a lot more neighbors showing up in ndp output now too.

I have no idea why running a command to view the mapping table for NDP would suddenly make it all start working. I'll have to check IPv6 the next time I reboot the gateway.