Here goes: I can see the ping6 traffic from client to mirror.switch.ch traverse internal, then tunnel, then external (as encap) but I can't see pflog dropping it:
internal if: casper ~ # tcpdump -i dc0 | grep -v domain | grep -v arp | grep -v www | grep -v ssh 17:25:35.169734 fe80::280:adff:fe75:1760 > fe80::224:d6ff:fe3b:588c: icmp6: neighbor adv: tgt is casper.nineinchnetworks.ch 17:25:35.583289 2001:1620:f2e1:0:20d:b9ff:fe17:bfec > mimas-nxge0.switch.ch: icmp6: echo request 17:25:36.583473 2001:1620:f2e1:0:20d:b9ff:fe17:bfec > mimas-nxge0.switch.ch: icmp6: echo request 17:25:37.583653 2001:1620:f2e1:0:20d:b9ff:fe17:bfec > mimas-nxge0.switch.ch: icmp6: echo request 17:25:38.583846 2001:1620:f2e1:0:20d:b9ff:fe17:bfec > mimas-nxge0.switch.ch: icmp6: echo request tunnel : casper ~ # tcpdump -i gif0 tcpdump: listening on gif0, link-type NULL 17:24:34.582415 2001:1620:f2e1:0:20d:b9ff:fe17:bfec > mimas-nxge0.switch.ch: icmp6: echo request 17:24:35.582591 2001:1620:f2e1:0:20d:b9ff:fe17:bfec > mimas-nxge0.switch.ch: icmp6: echo request 17:24:36.582766 2001:1620:f2e1:0:20d:b9ff:fe17:bfec > mimas-nxge0.switch.ch: icmp6: echo request 17:24:37.582957 2001:1620:f2e1:0:20d:b9ff:fe17:bfec > mimas-nxge0.switch.ch: icmp6: echo request external: casper ~ # tcpdump -i bge0 | grep -v irc | grep -v www | grep -v domain | grep -v arp | grep -v 1194 17:25:22.581100 2001:1620:f2e1:0:20d:b9ff:fe17:bfec > mimas-nxge0.switch.ch: icmp6: echo request (encap) 17:25:23.581277 2001:1620:f2e1:0:20d:b9ff:fe17:bfec > mimas-nxge0.switch.ch: icmp6: echo request (encap) 17:25:24.581480 2001:1620:f2e1:0:20d:b9ff:fe17:bfec > mimas-nxge0.switch.ch: icmp6: echo request (encap) 17:25:25.581666 2001:1620:f2e1:0:20d:b9ff:fe17:bfec > mimas-nxge0.switch.ch: icmp6: echo request (encap) 17:25:26.581829 2001:1620:f2e1:0:20d:b9ff:fe17:bfec > mimas-nxge0.switch.ch: icmp6: echo request (encap) 17:25:27.581991 2001:1620:f2e1:0:20d:b9ff:fe17:bfec > mimas-nxge0.switch.ch: icmp6: echo request (encap) firewall stuff: casper ~ # tcpdump -i pflog0 tcpdump: listening on pflog0, link-type PFLOG 17:24:18.636473 85-218-12-1.dclient.lsne.ch > ALL-SYSTEMS.MCAST.NET: igmp query [ttl 1] 17:24:52.493304 c-98-221-40-44.hsd1.pa.comcast.net.57053 > 85-218-10-62.dclient.lsne.ch.52680: udp 42 17:26:24.144277 85-218-12-1.dclient.lsne.ch > ALL-SYSTEMS.MCAST.NET: igmp query [ttl 1] 17:28:29.649077 85-218-12-1.dclient.lsne.ch > ALL-SYSTEMS.MCAST.NET: igmp query [ttl 1] ------------------------------------------------------------------------------------------------------------------------------------ And the routing tables : client: charybde ~ # netstat -rnf inet6 Routing tables Internet6: Destination Gateway Flags Refs Use Mtu Prio Iface ::/104 ::1 UGRS 0 0 - 8 lo0 ::/96 ::1 UGRS 0 0 - 8 lo0 default fe80::280:adff:fe75:1760%vr0 UG 0 36 - 4 vr0 ::1 ::1 UH 14 0 33200 4 lo0 ::127.0.0.0/104 ::1 UGRS 0 0 - 8 lo0 ::224.0.0.0/100 ::1 UGRS 0 0 - 8 lo0 ::255.0.0.0/104 ::1 UGRS 0 0 - 8 lo0 ::ffff:0.0.0.0/96 ::1 UGRS 0 0 - 8 lo0 2001:1620:f2e1::/64 link#1 UC 1 0 - 4 vr0 2001:1620:f2e1::1 00:80:ad:75:17:60 UHLc 0 2 - 4 vr0 2001:1620:f2e1:0:20d:b9ff:fe17:bfec 00:0d:b9:17:bf:ec UHL 0 0 - 4 lo0 2002::/24 ::1 UGRS 0 0 - 8 lo0 2002:7f00::/24 ::1 UGRS 0 0 - 8 lo0 2002:e000::/20 ::1 UGRS 0 0 - 8 lo0 2002:ff00::/24 ::1 UGRS 0 0 - 8 lo0 fe80::/10 ::1 UGRS 0 0 - 8 lo0 fe80::%vr0/64 link#1 UC 1 0 - 4 vr0 fe80::20d:b9ff:fe17:bfec%vr0 00:0d:b9:17:bf:ec UHL 1 0 - 4 lo0 fe80::280:adff:fe75:1760%vr0 00:80:ad:75:17:60 UHLc 1 12 - 4 vr0 fe80::%lo0/64 fe80::1%lo0 U 0 0 - 4 lo0 fe80::1%lo0 link#6 UHL 0 0 - 4 lo0 fec0::/10 ::1 UGRS 0 0 - 8 lo0 ff01::/16 ::1 UGRS 0 0 - 8 lo0 ff01::%vr0/32 link#1 UC 0 0 - 4 vr0 ff01::%lo0/32 ::1 UC 0 0 - 4 lo0 ff02::/16 ::1 UGRS 0 0 - 8 lo0 ff02::%vr0/32 link#1 UC 0 0 - 4 vr0 ff02::%lo0/32 ::1 UC 0 0 - 4 lo0 router/firewall: casper ~ # netstat -rnf inet6 Routing tables Internet6: Destination Gateway Flags Refs Use Mtu Prio Iface ::/104 ::1 UGRS 0 0 - 8 lo0 ::/96 ::1 UGRS 0 0 - 8 lo0 default 2001:1620:f00:56::1 UGS 1 124576 - 8 gif0 ::1 ::1 UH 14 0 33200 4 lo0 ::127.0.0.0/104 ::1 UGRS 0 0 - 8 lo0 ::224.0.0.0/100 ::1 UGRS 0 0 - 8 lo0 ::255.0.0.0/104 ::1 UGRS 0 0 - 8 lo0 ::ffff:0.0.0.0/96 ::1 UGRS 0 0 - 8 lo0 2001:1620:f00:56::1 2001:1620:f00:56::2 UH 1 20 - 4 gif0 2001:1620:f00:56::2 link#7 UHL 0 0 - 4 lo0 2001:1620:f2e1::/64 link#2 UC 2 0 - 4 dc0 2001:1620:f2e1::1 00:80:ad:75:17:60 UHL 1 214 - 4 lo0 2001:1620:f2e1:0:20d:b9ff:fe17:bfec 00:0d:b9:17:bf:ec UHLc 0 7 - 4 dc0 2001:1620:f2e1:0:224:d6ff:fe3b:588c 00:24:d6:3b:58:8c UHLc 1 3953 - 4 dc0 2001:1620:f2e3::/64 link#8 UC 0 0 - 4 tun1 2001:1620:f2e3::1 fe:e1:ba:d2:ff:03 UHL 0 0 - 4 lo0 2002::/24 ::1 UGRS 0 0 - 8 lo0 2002:7f00::/24 ::1 UGRS 0 0 - 8 lo0 2002:e000::/20 ::1 UGRS 0 0 - 8 lo0 2002:ff00::/24 ::1 UGRS 0 0 - 8 lo0 fe80::/10 ::1 UGRS 0 0 - 8 lo0 fe80::%bge0/64 link#1 UC 0 0 - 4 bge0 fe80::20d:9dff:fe9b:70d2%bge0 00:0d:9d:9b:70:d2 HL 0 0 - 4 lo0 fe80::%dc0/64 link#2 UC 2 0 - 4 dc0 fe80::20d:b9ff:fe17:bfec%dc0 00:0d:b9:17:bf:ec UHLc 0 12 - 4 dc0 fe80::224:d6ff:fe3b:588c%dc0 00:24:d6:3b:58:8c UHLc 0 27237 - 4 dc0 fe80::280:adff:fe75:1760%dc0 00:80:ad:75:17:60 UHL 0 0 - 4 lo0 fe80::%lo0/64 fe80::1%lo0 U 0 0 - 4 lo0 fe80::1%lo0 link#4 UHL 0 0 - 4 lo0 fe80::%gif0/64 link#7 UC 0 0 - 4 gif0 fe80::20d:9dff:fe9b:70d2%gif0 link#7 UHL 0 0 - 4 lo0 fe80::%tun1/64 link#8 UC 1 0 - 4 tun1 fe80::18c5:75ff:fed2:2ca6%tun1 1a:c5:75:d2:2c:a6 UHLc 0 10 - 4 tun1 fe80::fce1:baff:fed2:ff03%tun1 fe:e1:ba:d2:ff:03 HL 0 0 - 4 lo0 fe80::%tun2/64 link#9 UC 0 0 - 4 tun2 fe80::fce1:baff:fed4:7555%tun2 fe:e1:ba:d4:75:55 HL 0 0 - 4 lo0 fe80::%tun3/64 link#10 UC 0 0 - 4 tun3 fe80::fce1:baff:fed6:c574%tun3 fe:e1:ba:d6:c5:74 HL 0 0 - 4 lo0 fec0::/10 ::1 UGRS 0 0 - 8 lo0 ff01::/16 ::1 UGRS 0 0 - 8 lo0 ff01::%bge0/32 link#1 UC 0 0 - 4 bge0 ff01::%dc0/32 link#2 UC 0 0 - 4 dc0 ff01::%lo0/32 ::1 UC 0 0 - 4 lo0 ff01::%gif0/32 link#7 UC 0 0 - 4 gif0 ff01::%tun1/32 link#8 UC 0 0 - 4 tun1 ff01::%tun2/32 link#9 UC 0 0 - 4 tun2 ff01::%tun3/32 link#10 UC 0 0 - 4 tun3 ff02::/16 ::1 UGRS 3 0 - 8 lo0 ff02::%bge0/32 link#1 UC 0 0 - 4 bge0 ff02::%dc0/32 link#2 UC 0 0 - 4 dc0 ff02::%lo0/32 ::1 UC 0 0 - 4 lo0 ff02::%gif0/32 link#7 UC 0 0 - 4 gif0 ff02::%tun1/32 link#8 UC 10 0 - 4 tun1 ff02::1:ff0b:7c7b%tun1 link#8 UHLc 0 0 - 4 tun1 ff02::1:ff36:b079%tun1 link#8 UHLc 0 0 - 4 tun1 ff02::1:ff3a:2938%tun1 link#8 UHLc 0 0 - 4 tun1 ff02::1:ff48:37d6%tun1 link#8 UHLc 0 0 - 4 tun1 ff02::1:ff4c:1dd9%tun1 link#8 UHLc 0 0 - 4 tun1 ff02::1:ff52:4e02%tun1 link#8 UHLc 0 0 - 4 tun1 ff02::1:ff6a:b2d1%tun1 link#8 UHLc 0 0 - 4 tun1 ff02::1:ffb8:41a3%tun1 link#8 UHLc 0 0 - 4 tun1 ff02::1:ffbf:b353%tun1 link#8 UHLc 0 0 - 4 tun1 ff02::1:ffd2:2ca6%tun1 link#8 UHLc 0 0 - 4 tun1 ff02::%tun2/32 link#9 UC 0 0 - 4 tun2 ff02::%tun3/32 link#10 UC 0 0 - 4 tun3 So to conclude... could it simply be that my uplink provider isn't routing traffic from my /64 (well it's a /48 but I subdivided it)? Cheers for your patience, Noth Paul de Weerd wrote: > On Tue, Jan 04, 2011 at 05:49:08PM +0100, nothingness wrote: > <SNIP all sysctl output> > > So are you sure rtadvd is working as it should ? Can you show the > configuration of one of your client interfaces ? Also the routing > table of your client and your router (netstat -rnf inet6). > > Try to ping6 something on the internet from a host in your LAN and > tcpdump on the internal interface of your router, the tunnel interface > of your router, the external interface of your router and pflog0. > What do you see ? > > Paul 'WEiRD' de Weerd
