Hi,

I'm trying out ipv6 on my host (lilium), directly connected to the
internet.  pppoe0 has on public ipv4 and ipv6 address. I have got 95%
ping loss on ipv6. Ipv4 works fine.

The icmp request come in on my pppoe0 interface, but as far as I can
see, the pf-match counters increase only a bit when I open a continuous
ping from an external host. I do get a reply every 23th ping or so.

The counter for 'match in on pppoe0 inet6' is not increasing at all for
some reason.

If I uncomment 'pass in on pppoe0 inet6' ping is working all the time,
but I can't explain the 5% reply.

This is not my final pf config. I'm just learning this stuff.

Thanks!
Pieter

externalhost:~$ ping6  2001:980:3306:0:200:24ff:fecd:7df8
<snip>
^C
--- 2001:980:3306:0:200:24ff:fecd:7df8 ping statistics ---
970 packets transmitted, 42 received, 95% packet loss, time 974924ms
rtt min/avg/max/mdev = 16.005/17.816/61.019/6.755 ms

A look at tcpdump on lilium:
$ sudo tcpdump -i pppoe0 icmp6
Password:
tcpdump: listening on pppoe0, link-type PPP_ETHER
14:44:31.763653 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8: icmp6: echo request 14:44:32.771381 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8: icmp6: echo request 14:44:33.779579 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8: icmp6: echo request 14:44:33.779810 2001:980:3306:0:200:24ff:fecd:7df8 > xs8.xs4all.nl: icmp6: echo reply 14:44:34.780870 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8: icmp6: echo request 14:44:35.787575 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8: icmp6: echo request 14:44:36.795766 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8: icmp6: echo request 14:44:37.803459 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8: icmp6: echo request 14:44:38.811654 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8: icmp6: echo request 14:44:39.819115 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8: icmp6: echo request 14:44:40.848115 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8: icmp6: echo request 14:44:41.835736 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8: icmp6: echo request 14:44:42.843185 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8: icmp6: echo request 14:44:43.851684 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8: icmp6: echo request 14:44:44.859811 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8: icmp6: echo request 14:44:45.867267 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8: icmp6: echo request 14:44:46.875449 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8: icmp6: echo request 14:44:47.883991 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8: icmp6: echo request 14:44:48.891351 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8: icmp6: echo request 14:44:49.899560 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8: icmp6: echo request 14:44:50.907737 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8: icmp6: echo request 14:44:51.915566 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8: icmp6: echo request 14:44:52.923601 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8: icmp6: echo request 14:44:53.931576 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8: icmp6: echo request 14:44:54.939495 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8: icmp6: echo request 14:44:55.947474 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8: icmp6: echo request 14:44:55.947720 2001:980:3306:0:200:24ff:fecd:7df8 > xs8.xs4all.nl: icmp6: echo reply 14:44:56.283017 fe80::90:1a00:1a1:88e6 > ff02::1: icmp6: router advertisement 14:44:56.949772 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8: icmp6: echo request 14:44:57.955698 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8: icmp6: echo request 14:44:58.963152 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8: icmp6: echo request 14:44:59.971384 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8: icmp6: echo request

And a bit of pf logging:
$ sudo tcpdump -n -e -ttt -r /var/log/pflog icmp6
tcpdump: WARNING: snaplen raised from 116 to 160
Jul 16 14:31:23.223439 rule 1/(match) match in on pppoe0: 2001:888:0:1::888 > 2001:980:3306:0:200:24ff:fecd:7df8: icmp6: echo request Jul 16 14:31:23.223547 rule 1/(match) match out on pppoe0: 2001:980:3306:0:200:24ff:fecd:7df8 > 2001:888:0:1::888: icmp6: echo reply Jul 16 14:31:47.406995 rule 1/(match) match in on pppoe0: 2001:888:0:1::888 > 2001:980:3306:0:200:24ff:fecd:7df8: icmp6: echo request Jul 16 14:31:47.407099 rule 1/(match) match out on pppoe0: 2001:980:3306:0:200:24ff:fecd:7df8 > 2001:888:0:1::888: icmp6: echo reply Jul 16 14:32:07.559498 rule 1/(match) match in on pppoe0: 2001:888:0:1::888 > 2001:980:3306:0:200:24ff:fecd:7df8: icmp6: echo request Jul 16 14:32:07.559604 rule 1/(match) match out on pppoe0: 2001:980:3306:0:200:24ff:fecd:7df8 > 2001:888:0:1::888: icmp6: echo reply Jul 16 14:32:34.767123 rule 1/(match) match in on pppoe0: 2001:888:0:1::888 > 2001:980:3306:0:200:24ff:fecd:7df8: icmp6: echo request Jul 16 14:32:34.767223 rule 1/(match) match out on pppoe0: 2001:980:3306:0:200:24ff:fecd:7df8 > 2001:888:0:1::888: icmp6: echo reply Jul 16 14:33:01.975001 rule 1/(match) match in on pppoe0: 2001:888:0:1::888 > 2001:980:3306:0:200:24ff:fecd:7df8: icmp6: echo request Jul 16 14:33:01.975108 rule 1/(match) match out on pppoe0: 2001:980:3306:0:200:24ff:fecd:7df8 > 2001:888:0:1::888: icmp6: echo reply Jul 16 14:33:24.675827 rule 1/(match) match in on pppoe0: fe80::90:1a00:1a1:88e6 > ff02::1: icmp6: router advertisement

$ cat hostname.bridge0
add vether0
add vr1
add vr2
add vr3
up
$ cat hostname.pppoe0
inet 0.0.0.0 255.255.255.255 NONE \
pppoedev vr0 authproto pap \
authname 'p...@xs4all.nl' authkey 'bar' up
dest 0.0.0.1
!/sbin/route add default -ifp pppoe0 0.0.0.1

$ sudo cat /etc/pf.conf
set skip on lo0
set skip on ral0
set skip on bridge0

match on pppoe0 scrub (max-mss 1440)
match log on pppoe0 inet6

big_scary_world = "!10.0.0.0/16"
inside_network  = "10.0.0.0/16"
rfc1918         = "{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }"
int_if          = vr1
ext_if          = pppoe0
tcp_services    = "{ discard, chargen, time, echo, http }"
table           <int_nat_src_addr> const { 10.0.0.0/16, !10.0.0.1 }

# ssh backup rule
pass in quick proto tcp from any port { 443 }

# Begin
block in on $ext_if from $big_scary_world
pass on $ext_if proto icmp from any to any
pass on $ext_if proto tcp from any to any port 443
pass on $ext_if proto tcp from any to any port $tcp_services

pass in from $inside_network
pass out on $ext_if from <int_nat_src_addr> to any nat-to 80.101.175.113
pass out from { $ext_if $int_if }

match on pppoe0 proto icmp6
match in on pppoe0 inet6
match out on pppoe0 inet6
#block in on pppoe0 inet6
#pass in on pppoe0 inet6

$ ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33196
priority: 0
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
inet 127.0.0.1 netmask 0xff000000
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:24:cd:7d:f8
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::200:24ff:fecd:7df8%vr0 prefixlen 64 scopeid 0x1
vr1: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
mtu 1500
lladdr 00:00:24:cd:7d:f9
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::200:24ff:fecd:7df9%vr1 prefixlen 64 scopeid 0x2
vr2: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
mtu 1500
lladdr 00:00:24:cd:7d:fa
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::200:24ff:fecd:7dfa%vr2 prefixlen 64 scopeid 0x3
vr3: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
mtu 1500
lladdr 00:00:24:cd:7d:fb
priority: 0
media: Ethernet autoselect (none)
status: no carrier
inet6 fe80::200:24ff:fecd:7dfb%vr3 prefixlen 64 scopeid 0x4
enc0: flags=0<>
priority: 0
groups: enc
status: active
ral0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:12:0e:61:48:98
priority: 4
groups: wlan
media: IEEE802.11 OFDM54 mode 11g hostap (autoselect mode 11g
hostap)
status: active
ieee80211: <snip>
inet6 fe80::212:eff:fe61:4898%ral0 prefixlen 64 scopeid 0x7
vether0:
flags=28943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,NOINET6> mtu
1500
lladdr fe:e1:ba:d0:da:90
priority: 0
groups: vether
media: Ethernet autoselect
status: active
inet 10.0.0.1 netmask 0xffff0000 broadcast 10.0.255.255
pppoe0: flags=8951<UP,POINTOPOINT,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu
1492
priority: 0
dev: vr0 state: session
sid: 0x6 PADI retries: 0 PADR retries: 0 time: 16:40:48
sppp: phase network authproto pap
groups: pppoe egress
status: active
inet 80.101.175.113 --> 194.109.5.213 netmask 0xffffffff
inet6 fe80::200:24ff:fecd:7df8%pppoe0 ->  prefixlen 64 scopeid
0x9
inet6 2001:980:3306:0:200:24ff:fecd:7df8 ->  prefixlen 64
bridge0: flags=41<UP,RUNNING>
groups: bridge
priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto
rstp
vether0 flags=3<LEARNING,DISCOVER>
port 8 ifpriority 0 ifcost 0
vr1 flags=3<LEARNING,DISCOVER>
port 2 ifpriority 0 ifcost 0
vr2 flags=3<LEARNING,DISCOVER>
port 3 ifpriority 0 ifcost 0
vr3 flags=3<LEARNING,DISCOVER>
port 4 ifpriority 0 ifcost 0
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33196
priority: 0
groups: pflog

pfTop: Up Rule 1-20/20, View: rules, Cache: 10000 14:51:23

RULE ACTION DIR LOG Q IF PR K PKTS BYTES STATES MAX INFO 0 Match Any pppoe0 263 126141 0 all max-mss 1440 1 Match Any Log pppoe0 45 4680 0 inet6 all 2 Pass In Q tcp K 0 0 0 from any port = https to any flags S/SA 3 Block In pppoe0 1 40 0 drop inet from ! 10.0.0.0/16 to any 4 Pass Any pppoe0 tcp K 0 0 0 from any to any port = https flags S/SA 5 Pass Any pppoe0 tcp K 0 0 0 from any to any port = discard flags S/SA 6 Pass Any pppoe0 tcp K 0 0 0 from any to any port = chargen flags S/SA 7 Pass Any pppoe0 tcp K 0 0 0 from any to any port = time flags S/SA 8 Pass Any pppoe0 tcp K 0 0 0 from any to any port = echo flags S/SA 9 Pass Any pppoe0 tcp K 206 120141 9 from any to any port = www flags S/SA 10 Pass Any pppoe0 icmp K 0 0 0 all 11 Pass In K 0 0 0 inet from 10.0.0.0/16 to any flags S/SA 12 Pass Out pppoe0 K 0 0 0 inet from <int_nat_src_addr> to any flags S/SA 13 Pass Out pppoe0 K 0 0 0 inet6 from fe80::200:24ff:fecd:7df8/128 to any flags S/SA 14 Pass Out K 45 4680 45 inet6 from 2001:980:3306:0:200:24ff:fecd:7df8/128 to any flags S/SA 15 Pass Out vr1 K 0 0 0 inet6 from fe80::200:24ff:fecd:7df9/128 to any flags S/SA 16 Pass Out K 12 1320 6 inet from 80.101.175.113/32 to any flags S/SA 17 Match In pppoe0 0 0 0 inet6 all 18 Match Out pppoe0 45 4680 0 inet6 all 19 Match Any pppoe0 ipv6-icmp 45 4680 0 all

Reply via email to