Re: icmp6 get dropped on gif tunnel

Fri, 27 Mar 2015 18:18:37 -0700 

On 03/27/2015 01:31 PM, Bastien Durel wrote:

Hello.
I have an openbsd router with 2 upstreams (one pppoe (pppoe0 on sis1),
one ipoe (sis0)).

I have a sixxs(6-in-4) tunnel (gif0).
If the gif tunnel is on one of my providers (pppoe0), it works well.

gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
         description: Sixxs
         priority: 0
         groups: gif egress
         tunnel: inet 109.190.17.241 -> 212.100.184.146
         inet6 fe80::200:24ff:fecf:42ac%gif0 ->  prefixlen 64 scopeid 0xc
         inet6 2001:6f8:202:19c::2 -> 2001:6f8:202:19c::1 prefixlen 128

the 2001:6f8:3c8::/48 subnet which is routed via this tunnel

This provider gives me native Ipv6, so the tunnel is pretty useless, and
I want to put it on the other provider, which doesn't.

But when I move it on the other provider, the tunnel basicly works (I
can ping an inside box (2001:6f8:3c8:42:xxx) from the outside), but the
router does not answer to ping, on the tunnel endpoint Ipv6
(2001:6f8:202:19c::2) nor on any other interface (in 2001:6f8:3c8::/48).

Then sixxs count it as down, and will disable it if nothing is done. I
can ping from router to remote tunnel endpoint (2001:6f8:202:19c::1),
but remote tunnel endpoint does not get any answer when it ping my
router endpoint. nor does can I ping it from outside.

If I tcpdump gif0, I can see icmpv6 in and out.

Does you have any clue ?

Thanks,


I've seen a similar problem with traceroute: ping from inside to outside
IPv6 host works. Traceroute packets leaving gif0 are visible leaving via
ipv4 interface. Traceroute ICMP6 packets returned are visible entering gif0 but 
aren't visible in pf (at least what I've tried)
pass in log on gif0 any
doesn't give me anything. I may misunderstand log vs rule matching.
Is there a rule which will guarantee that a packet will be logged
no matter what happens to it later in pf processing?
The IPv6 packets cross routing domains to get to/from gif0.

I could set up a test net (4 machines) to debug this if I had
better knowledge (a) about logging as above
(b) where to look in the code to put information gathering code.
I suspect some sort of mismatch in the state matching code but
that's because I can't think of anywhere else.

If anyone has a little time to suggest places to look I'd appreciate it.
If sending to tech@ be helpful I'll do that.

thanks
Geoff Steckel

Reply via email to