On Wed, May 20, 2020 at 07:00:56PM -0400, Jason Mader wrote:
> >Synopsis: IPv6 Internet hosts unreachable without a workaround
> >Category: system amd64
> >Environment:
> System : OpenBSD 6.7
> Details : OpenBSD 6.7 (GENERIC.MP) #182: Thu May 7 11:11:58 MDT 2020
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>
> Architecture: OpenBSD.amd64
> Machine : amd64
> >Description:
> OpenBSD 6.7 guest in VirtualBox 6.1.8 on host macOS 10.15.4 where the
> VM has an IPv6-only bridge network interface over en0 (MacBook Pro
> Wi-Fi), it's not possible to reach hosts beyond the gateway when
> OpenBSD is started.
>
> It is possible to secure shell from the host OS to the OpenBSD guest
> OS, but any attempt from OpenBSD to reach hosts outside the local
> network (dns, ntpd, etc.) fails.
> >How-To-Repeat:
> On the OpenBSD guest, a `ping6 2607:f8b0:4004:808::2004`
> (www.google.com) doesn't have a response. A packet capture on the host
> OS shows that the echo packet is going out, and the reply is coming
> back. The reply just doesn't seem to register on the OpenBSD guest.
>
> That is, until I trigger the workaround described below.
> >Fix:
> While looking into this, by happenstance I noticed that right after I
> `ping6` the gateway router that networking immediately starts to work
> correctly. I tried putting a "!ping6" command in hostname.vio0 but at
> the point when this is run the messages show no route to host. So the
> workaround I have is to put "ping6 -c 1 $gateway" in /etc/rc right
> before "echo -n 'starting early daemons:'" and that is good enough
> that the subsequent daemons (like ntpd) will start and be able to
> resolve dns and reach destinations.
>
> Of course it could be a problem with VirtualBox, but I wanted to share
> this. I also hoped to find a better workaround than editing /etc/rc to
> trigger the `ping6` or other helper at a point before networking is
> needed.
>
This could be an issue with blocking ND packets in pf.conf.
Unlike ARP neighbor discovery uses multicast IPv6 packets which get
filtered by pf.conf. So something like this may help:
# allow IPv6 router side
pass in inet6 proto icmp6 icmp6-type { routersol neighbrsol }
# allow IPv6 client side on external
pass in on external inet6 proto icmp6 icmp6-type { routeradv neighbradv }
--
:wq Claudio
