Hi all, I'm trying to get IPv6 set up on a firewall box running 6.4. I'm using dhcpcd to get an NA and several PDs, which appears to be working fine, but no normal v6 traffic can be sent or received. tcpdump on the egress interface (em3) shows lots of icmp6 neighbor solicits going back and forth, but no responses from either side:
$ ifconfig em3 em3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 0c:c4:7a:ad:2a:e7 index 4 priority 0 llprio 3 groups: egress media: Ethernet autoselect (1000baseT full-duplex) status: active inet6 fe80::8dfc:5795:8ab7:e2b%em3 prefixlen 64 scopeid 0x4 inet <omitted> netmask 0xffffe000 broadcast <omitted> inet6 2605:a601:fe07:c900::1 prefixlen 128 pltime 64553 vltime 86153 $ tcpdump -nlp -i em3 ip6 ... neighbor sol repeating many times ... 22:46:53.876457 fe80::8dfc:5795:8ab7:e2b > ff02::1:ffea:4ff0: icmp6: neighbor sol: who has fe80::2d0:f6ff:feea:4ff0 22:47:01.876688 fe80::2d0:f6ff:feea:4ff0 > 2605:a601:fe07:c900::1: icmp6: neighbor sol: who has 2605:a601:fe07:c900::1 [class 0xc0] 22:47:01.876778 fe80::8dfc:5795:8ab7:e2b > ff02::1:ffea:4ff0: icmp6: neighbor sol: who has fe80::2d0:f6ff:feea:4ff0 22:47:01.877542 fe80::2d0:f6ff:feea:4ff0 > fe80::8dfc:5795:8ab7:e2b: icmp6: neighbor sol: who has fe80::8dfc:5795:8ab7:e2b [class 0xc0] 22:47:02.876594 fe80::8dfc:5795:8ab7:e2b > ff02::1:ffea:4ff0: icmp6: neighbor sol: who has fe80::2d0:f6ff:feea:4ff0 22:47:03.876603 fe80::8dfc:5795:8ab7:e2b > ff02::1:ffea:4ff0: icmp6: neighbor sol: who has fe80::2d0:f6ff:feea:4ff0 22:47:32.337233 fe80::8dfc:5795:8ab7:e2b.546 > ff02::1:2.547: dhcp6 release [hlim 1] 22:47:32.515413 fe80::2d0:f6ff:feea:4ff0.547 > fe80::8dfc:5795:8ab7:e2b.546: dhcp6 [class 0xc0] I added "pass quick on em3 inet6" to the top of pf.conf to make sure the responses aren't being filtered. The peer LL address is always marked incomplete: $ ndp -na | grep em3 2605:a601:fe07:c900::1 0c:c4:7a:ad:2a:e7 em3 permanent R l fe80::2d0:f6ff:feea:4ff0%em3 00:d0:f6:ea:51:96 em3 expired I R fe80::8dfc:5795:8ab7:e2b%em3 0c:c4:7a:ad:2a:e7 em3 permanent R l Pinging any v6 address outside my network only results in one fe80::8dfc:5795:8ab7:e2b > ff02::1:ffea:4ff0: icmp6: neighbor sol: who has fe80::2d0:f6ff:feea:4ff0 per ping sent. Routes: $ route -n show -inet6 | grep em3 default fe80::2d0:f6ff:feea:4ff0%em3 UGS 0 53699 - 8 em3 2605:a601:fe07:c900::1 0c:c4:7a:ad:2a:e7 UHLl 0 1752 - 1 em3 fe80::%em3/64 fe80::8dfc:5795:8ab7:e2b%em3 UCn 1 1 - 4 em3 fe80::2d0:f6ff:feea:4ff0%em3 00:d0:f6:ea:51:96 UHLch 1 720183 - 3 em3 fe80::8dfc:5795:8ab7:e2b%em3 0c:c4:7a:ad:2a:e7 UHLl 0 110606 - 1 em3 ff01::%em3/32 fe80::8dfc:5795:8ab7:e2b%em3 Um 0 3 - 4 em3 ff02::%em3/32 fe80::8dfc:5795:8ab7:e2b%em3 Um 0 161322 - 4 em3 There is a managed switch between the firewall's egress and the ISP, but it's not doing any packet filtering. I'm currently out of ideas; any suggestions would be much appreciated.
