Good afternoon.
I am having trouble with my OpenBSD 6.3 router as it does not forward
ipv6 packets anymore whereas it did with no trouble a week ago (when I
used a tunnel).
Long version : I managed to get dhcpcd to craft the exact request to
match my ISP's routers expectations and since that moment, I get native
ipv6 and prefix delegation on my router. So I dropped the HE tunnel.
For one day, I got forwarding ipv6 packets, natively, the way it should
be.
But I had actually two addresses on each delegated interface. So Roy
Mapple provided a new patch. Now I get only one address, and it matches
my wishes.
But somewhere in the process, the router itself stopped forwarding
packets.
I can ping6 from the router to the outside. I can ping the router from
my inside network. But I cannot ping6 the internet from my network.
I tried several times to start from a clean state. For example this
morning : reboot of the router without the network nor PF. Starting
dhcpcd and assigning ipv6 addresses. Then, still without PF, trying to
ping6 the outside. Nope.
Here are the data:
(re0 is egress on my router, re2 is my lan iface and athn0 is my wifi
card)
stephane@mirror:/home/stephane ifconfig all inet6
re0: flags=648843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,
INET6_NOPRIVACY,AUTOCONF6,INET6_NOSOII> mtu 1500
lladdr 00:22:07:3e:a8:10
index 1 priority 0 llprio 3
groups: egress
media: Ethernet autoselect (1000baseT full-
duplex,rxpause,txpause)
status: active
inet6 fe80::222:7ff:fe3e:a810%re0 prefixlen 64 scopeid 0x1
inet6 2a06:4000:10:0:222:7ff:fe3e:a810 prefixlen 64 autoconf
pltime 3509 vltime 7109
inet6 2a06:4000:10::c7 prefixlen 128 pltime 2653 vltime 3653
re1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:0d:b9:3e:a8:11
index 2 priority 0 llprio 3
media: Ethernet autoselect (10baseT half-duplex)
status: no carrier
re2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:0d:b9:3e:a8:12
index 3 priority 0 llprio 3
media: Ethernet autoselect (1000baseT full-
duplex,rxpause,txpause)
status: active
inet6 fe80::cec3:4162:130a:d4be%re2 prefixlen 64 scopeid 0x3
inet6 fd00:22:dec:e2::1 prefixlen 64
inet6 2a06:4001:c7:e2::1 prefixlen 64 pltime 2653 vltime 3653
athn0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:24:2b:72:d1:df
index 4 priority 4 llprio 3
groups: wlan
media: IEEE802.11 autoselect mode 11n hostap
status: active
ieee80211: ...
inet6 fe80::f9bd:e21d:632e:7f6%athn0 prefixlen 64 scopeid 0x4
inet6 fd00:22:dec:a0::1 prefixlen 64
inet6 2a06:4001:c7:a0::1 prefixlen 64 pltime 2653 vltime 3653
enc0: flags=0<>
index 5 priority 0 llprio 3
groups: enc
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768
index 6 priority 0 llprio 3
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33136
index 7 priority 0 llprio 3
groups: pflog
stephane@mirror:/home/stephane route -n show -inet6
Routing tables
Internet6:
Destination Gateway Flags
Refs Use Mtu Prio Iface
default fe80::10:1%re0 UGSP
2 101126 - 56 re0
default fe80::10:2%re0 UGSP
0 0 - 56 re0
::/96 ::1 UGRS
0 0 32768 8 lo0
::1 ::1 UHhl
13 5847 32768 1 lo0
::ffff:0.0.0.0/96 ::1 UGRS
0 0 32768 8 lo0
2002::/24 ::1 UGRS
0 0 32768 8 lo0
2002:7f00::/24 ::1 UGRS
0 0 32768 8 lo0
2002:e000::/20 ::1 UGRS
0 0 32768 8 lo0
2002:ff00::/24 ::1 UGRS
0 0 32768 8 lo0
2a06:4000:10::/64 2a06:4000:10:0:222:7ff:fe3e:a810 UCn
1 3 - 4 re0
2a06:4000:10::1 cc:1a:fa:e7:47:c0 UHLc
0 13 - 3 re0
2a06:4000:10::c7 00:22:07:3e:a8:10 UHLl
0 9389 - 1 re0
2a06:4000:10:0:222:7ff:fe3e:a810 00:22:07:3e:a8:10 UHLl
0 564 - 1 re0
2a06:4001:c7::/48 ::1 UGRS
0 2 32768 8 lo0
2a06:4001:c7:a0::/64 2a06:4001:c7:a0::1 UCn
1 0 - 8 athn0
2a06:4001:c7:a0::1 00:24:2b:72:d1:df UHLl
0 405 - 1 athn0
2a06:4001:c7:a0:208:22ff:fe32:18fc link#4 UHLc
0 34 - 7 athn0
2a06:4001:c7:e2::/64 2a06:4001:c7:e2::1 UCn
6 2 - 4 re2
2a06:4001:c7:e2::1 00:0d:b9:3e:a8:12 UHLl
0 1896 - 1 re2
2a06:4001:c7:e2::2 bc:5f:f4:73:a7:e0 UHLc
0 1014 - 3 re2
2a06:4001:c7:e2:226:b9ff:fef6:d709 link#3 UHLc
0 43 - 3 re2
2a06:4001:c7:e2:56ee:75ff:fe03:f15b link#3 UHLc
0 36 - 3 re2
2a06:4001:c7:e2:b625:7928:e117:2f15 00:26:b9:f6:d7:09 UHLc
0 18512 - 3 re2
2a06:4001:c7:e2:dad4:3cff:fe60:4507 link#3 UHLc
0 35 - 3 re2
2a06:4001:c7:e2:ee08:6bff:fe73:2eda ec:08:6b:73:2e:da UHLc
73 3522 - 3 re2
fd00:22:dec:a0::/64 fd00:22:dec:a0::1 UCn
1 0 - 8 athn0
fd00:22:dec:a0::1 00:24:2b:72:d1:df UHLl
0 419 - 1 athn0
fd00:22:dec:a0:208:22ff:fe32:18fc link#4 UHLc
1 33 - 7 athn0
fd00:22:dec:e2::/64 fd00:22:dec:e2::1 UCn
7 152 - 4 re2
fd00:22:dec:e2::1 00:0d:b9:3e:a8:12 UHLl
0 13537 - 1 re2
fd00:22:dec:e2::2 bc:5f:f4:73:a7:e0 UHLc
0 337 - 3 re2
fd00:22:dec:e2::3 bc:5f:f4:73:a7:e0 UHLc
5 4371 - 3 re2
fd00:22:dec:e2:226:b9ff:fef6:d709 link#3 UHLc
0 194 - 3 re2
fd00:22:dec:e2:56ee:75ff:fe03:f15b link#3 UHLc
0 186 - 3 re2
fd00:22:dec:e2:7d2c:f443:dd44:5e43 00:26:b9:f6:d7:09 UHLc
1 27 - 3 re2
fd00:22:dec:e2:dad4:3cff:fe60:4507 link#3 UHLc
0 185 - 3 re2
fd00:22:dec:e2:ee08:6bff:fe73:2eda ec:08:6b:73:2e:da UHLc
1 1355 - 3 re2
fe80::/10 ::1 UGRS
0 4 32768 8 lo0
fec0::/10 ::1 UGRS
0 0 32768 8 lo0
fe80::%re0/64 fe80::222:7ff:fe3e:a810%re0 UCn
2 2 - 4 re0
fe80::10:1%re0 cc:1a:fa:e7:47:c0 UHLch
1 3451 - 3 re0
fe80::10:2%re0 cc:1a:fa:e6:c2:00 UHLch
1 47 - 3 re0
fe80::222:7ff:fe3e:a810%re0 00:22:07:3e:a8:10 UHLl
0 894 - 1 re0
fe80::%re2/64 fe80::cec3:4162:130a:d4be%re2 UCn
2 5 - 4 re2
fe80::c2a0:995:5796:5560%re2 00:26:b9:f6:d7:09 UHLc
0 553 - 3 re2
fe80::cec3:4162:130a:d4be%re2 00:0d:b9:3e:a8:12 UHLl
0 1073 - 1 re2
fe80::ee08:6bff:fe73:2eda%re2 ec:08:6b:73:2e:da UHLc
0 4359 - 3 re2
fe80::%athn0/64 fe80::f9bd:e21d:632e:7f6%athn0 UCn
0 0 - 8 athn0
fe80::f9bd:e21d:632e:7f6%athn0 00:24:2b:72:d1:df UHLl
0 207 - 1 athn0
fe80::1%lo0 fe80::1%lo0 UHl
0 0 32768 1 lo0
ff01::/16 ::1 UGRS
0 4 32768 8 lo0
ff01::%re0/32 fe80::222:7ff:fe3e:a810%re0 Um
0 2 - 4 re0
ff01::%re2/32 fe80::cec3:4162:130a:d4be%re2 Um
0 3 - 4 re2
ff01::%athn0/32 fe80::f9bd:e21d:632e:7f6%athn0 Um
0 3 - 4 athn0
ff01::%lo0/32 ::1 Um
0 1 32768 4 lo0
ff02::/16 ::1 UGRS
0 4 32768 8 lo0
ff02::%re0/32 fe80::222:7ff:fe3e:a810%re0 Um
0 3 - 4 re0
ff02::%re2/32 fe80::cec3:4162:130a:d4be%re2 Um
0 17 - 4 re2
ff02::%athn0/32 fe80::f9bd:e21d:632e:7f6%athn0 Um
0 4 - 4 athn0
ff02::%lo0/32 ::1 Um
0 1 32768 4 lo0
The router is supposed to forward :
stephane@mirror:/home/stephane sysctl net.inet6.ip6.forwarding
net.inet6.ip6.forwarding=1
Here are PF rules :
stephane@mirror:/home/stephane doas pfctl -sr|grep inet6
pass quick inet6 proto ipv6-icmp from any to (self) icmp6-type
neighbradv
pass quick inet6 proto ipv6-icmp from any to (self) icmp6-type
neighbrsol
pass quick inet6 proto ipv6-icmp from any to (self) icmp6-type routeradv
pass quick inet6 proto ipv6-icmp from any to (self) icmp6-type routersol
pass quick inet6 proto ipv6-icmp from any to (self) icmp6-type redir
pass quick inet6 proto ipv6-icmp from any to ff00::/8 icmp6-type
neighbradv
pass quick inet6 proto ipv6-icmp from any to ff00::/8 icmp6-type
neighbrsol
pass quick inet6 proto ipv6-icmp from any to ff00::/8 icmp6-type
routeradv
pass quick inet6 proto ipv6-icmp from any to ff00::/8 icmp6-type
routersol
pass quick inet6 proto ipv6-icmp from any to ff00::/8 icmp6-type redir
pass quick inet6 proto ipv6-icmp all icmp6-type unreach
pass quick inet6 proto ipv6-icmp all icmp6-type timex
pass quick inet6 proto ipv6-icmp all icmp6-type paramprob
pass quick inet6 proto ipv6-icmp all icmp6-type echoreq
pass quick inet6 proto ipv6-icmp all icmp6-type echorep
pass quick inet6 proto ipv6-icmp all icmp6-type toobig
pass out quick on re0 inet6 proto udp from (re0) to ff02::1:2 port = 547
pass in quick on re0 inet6 proto udp from any to (re0) port = 546
pass in inet6 proto udp from (re2:network) to any port = 123 rdr-to
(self) port 123 round-robin
pass in inet6 proto udp from (athn0:network) to any port = 123 rdr-to
(self) port 123 round-robin
pass in on re0 inet6 proto tcp from any to 2a06:4001:c7:e2::2 port = 443
flags S/SA
pass in on re0 inet6 proto tcp from any to 2a06:4001:c7:e2::2 port = 80
flags S/SA
pass in on re0 inet6 proto tcp from any to 2a06:4001:c7:e2::2 port = 587
flags S/SA set ( prio 2 )
pass in on re0 inet6 proto tcp from any to 2a06:4001:c7:e2::2 port =
4190 flags S/SA set ( prio 2 )
pass in on re0 inet6 proto tcp from any to 2a06:4001:c7:e2::2 port = 143
flags S/SA set ( prio 2 )
pass in on re0 inet6 proto tcp from any to 2a06:4001:c7:e2::2 port =
9418 flags S/SA
pass in on re0 inet6 proto tcp from any to 2a06:4001:c7:e2::2 port = 22
flags S/SA
pass in on re0 inet6 proto tcp from any to 2a06:4001:c7:e2::2 port =
50000 flags S/SA
pass in on re0 inet6 proto tcp from any to 2a06:4001:c7:e2::2 port = 53
flags S/SA
pass in on re0 inet6 proto udp from any to 2a06:4001:c7:e2::2 port = 53
I can ping6 my ISP's router or its website (or Google for example):
stephane@mirror:/home/stephane ping6 2a06:4000:10::1
PING 2a06:4000:10::1 (2a06:4000:10::1): 56 data bytes
64 bytes from 2a06:4000:10::1: icmp_seq=0 hlim=64 time=17.991 ms
64 bytes from 2a06:4000:10::1: icmp_seq=1 hlim=64 time=63.390 ms
64 bytes from 2a06:4000:10::1: icmp_seq=2 hlim=64 time=54.410 ms
^C
--- 2a06:4000:10::1 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 17.991/45.264/63.390/19.630 ms
stephane@mirror:/home/stephane ping6 2a06:4000:0:4::3
PING 2a06:4000:0:4::3 (2a06:4000:0:4::3): 56 data bytes
64 bytes from 2a06:4000:0:4::3: icmp_seq=0 hlim=63 time=169.855 ms
64 bytes from 2a06:4000:0:4::3: icmp_seq=1 hlim=63 time=84.133 ms
^C
--- 2a06:4000:0:4::3 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 84.133/126.994/169.855/42.861 ms
But pinging from a host inside the network...
stephane@blackblock:/home/stephane ping6 2a06:4000:0:4::3
PING 2a06:4000:0:4::3 (2a06:4000:0:4::3): 56 data bytes
^C
--- 2a06:4000:0:4::3 ping statistics ---
6 packets transmitted, 0 packets received, 100.0% packet loss
The network receives router advertisment. Here is a routing table.
stephane@blackblock:/home/stephane route -n show -inet6
Routing tables
Internet6:
Destination Gateway Flags
Refs Use Mtu Prio Iface
default 2a06:4001:c7:e2::1 UGS
4 661557 - 8 re0
::1 ::1 UHl
16 32563 32768 1 lo0
2a06:4001:c7:e2::/64 2a06:4001:c7:e2::2 UCn
1 37 - 4 re0
......
2a06:4001:c7:e2::1 is re2 on the router, and I can ping6 it, no trouble.
So everything works as if there is no more forwarding despite it should.
I am open to any suggestion or testing you may have or request.
