Hi,
I'm trying out ipv6 on my host (lilium), directly connected to the
internet. pppoe0 has on public ipv4 and ipv6 address. I have got 95%
ping loss on ipv6. Ipv4 works fine.
The icmp request come in on my pppoe0 interface, but as far as I can
see, the pf-match counters increase only a bit when I open a continuous
ping from an external host. I do get a reply every 23th ping or so.
The counter for 'match in on pppoe0 inet6' is not increasing at all for
some reason.
If I uncomment 'pass in on pppoe0 inet6' ping is working all the time,
but I can't explain the 5% reply.
This is not my final pf config. I'm just learning this stuff.
Thanks!
Pieter
externalhost:~$ ping6 2001:980:3306:0:200:24ff:fecd:7df8
<snip>
^C
--- 2001:980:3306:0:200:24ff:fecd:7df8 ping statistics ---
970 packets transmitted, 42 received, 95% packet loss, time 974924ms
rtt min/avg/max/mdev = 16.005/17.816/61.019/6.755 ms
A look at tcpdump on lilium:
$ sudo tcpdump -i pppoe0 icmp6
Password:
tcpdump: listening on pppoe0, link-type PPP_ETHER
14:44:31.763653 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8:
icmp6: echo request
14:44:32.771381 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8:
icmp6: echo request
14:44:33.779579 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8:
icmp6: echo request
14:44:33.779810 2001:980:3306:0:200:24ff:fecd:7df8 > xs8.xs4all.nl:
icmp6: echo reply
14:44:34.780870 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8:
icmp6: echo request
14:44:35.787575 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8:
icmp6: echo request
14:44:36.795766 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8:
icmp6: echo request
14:44:37.803459 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8:
icmp6: echo request
14:44:38.811654 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8:
icmp6: echo request
14:44:39.819115 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8:
icmp6: echo request
14:44:40.848115 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8:
icmp6: echo request
14:44:41.835736 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8:
icmp6: echo request
14:44:42.843185 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8:
icmp6: echo request
14:44:43.851684 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8:
icmp6: echo request
14:44:44.859811 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8:
icmp6: echo request
14:44:45.867267 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8:
icmp6: echo request
14:44:46.875449 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8:
icmp6: echo request
14:44:47.883991 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8:
icmp6: echo request
14:44:48.891351 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8:
icmp6: echo request
14:44:49.899560 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8:
icmp6: echo request
14:44:50.907737 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8:
icmp6: echo request
14:44:51.915566 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8:
icmp6: echo request
14:44:52.923601 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8:
icmp6: echo request
14:44:53.931576 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8:
icmp6: echo request
14:44:54.939495 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8:
icmp6: echo request
14:44:55.947474 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8:
icmp6: echo request
14:44:55.947720 2001:980:3306:0:200:24ff:fecd:7df8 > xs8.xs4all.nl:
icmp6: echo reply
14:44:56.283017 fe80::90:1a00:1a1:88e6 > ff02::1: icmp6: router
advertisement
14:44:56.949772 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8:
icmp6: echo request
14:44:57.955698 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8:
icmp6: echo request
14:44:58.963152 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8:
icmp6: echo request
14:44:59.971384 xs8.xs4all.nl > 2001:980:3306:0:200:24ff:fecd:7df8:
icmp6: echo request
And a bit of pf logging:
$ sudo tcpdump -n -e -ttt -r /var/log/pflog icmp6
tcpdump: WARNING: snaplen raised from 116 to 160
Jul 16 14:31:23.223439 rule 1/(match) match in on pppoe0:
2001:888:0:1::888 > 2001:980:3306:0:200:24ff:fecd:7df8: icmp6: echo
request
Jul 16 14:31:23.223547 rule 1/(match) match out on pppoe0:
2001:980:3306:0:200:24ff:fecd:7df8 > 2001:888:0:1::888: icmp6: echo
reply
Jul 16 14:31:47.406995 rule 1/(match) match in on pppoe0:
2001:888:0:1::888 > 2001:980:3306:0:200:24ff:fecd:7df8: icmp6: echo
request
Jul 16 14:31:47.407099 rule 1/(match) match out on pppoe0:
2001:980:3306:0:200:24ff:fecd:7df8 > 2001:888:0:1::888: icmp6: echo
reply
Jul 16 14:32:07.559498 rule 1/(match) match in on pppoe0:
2001:888:0:1::888 > 2001:980:3306:0:200:24ff:fecd:7df8: icmp6: echo
request
Jul 16 14:32:07.559604 rule 1/(match) match out on pppoe0:
2001:980:3306:0:200:24ff:fecd:7df8 > 2001:888:0:1::888: icmp6: echo
reply
Jul 16 14:32:34.767123 rule 1/(match) match in on pppoe0:
2001:888:0:1::888 > 2001:980:3306:0:200:24ff:fecd:7df8: icmp6: echo
request
Jul 16 14:32:34.767223 rule 1/(match) match out on pppoe0:
2001:980:3306:0:200:24ff:fecd:7df8 > 2001:888:0:1::888: icmp6: echo
reply
Jul 16 14:33:01.975001 rule 1/(match) match in on pppoe0:
2001:888:0:1::888 > 2001:980:3306:0:200:24ff:fecd:7df8: icmp6: echo
request
Jul 16 14:33:01.975108 rule 1/(match) match out on pppoe0:
2001:980:3306:0:200:24ff:fecd:7df8 > 2001:888:0:1::888: icmp6: echo
reply
Jul 16 14:33:24.675827 rule 1/(match) match in on pppoe0:
fe80::90:1a00:1a1:88e6 > ff02::1: icmp6: router advertisement
$ cat hostname.bridge0
add vether0
add vr1
add vr2
add vr3
up
$ cat hostname.pppoe0
inet 0.0.0.0 255.255.255.255 NONE \
pppoedev vr0 authproto pap \
authname 'p...@xs4all.nl' authkey 'bar' up
dest 0.0.0.1
!/sbin/route add default -ifp pppoe0 0.0.0.1
$ sudo cat /etc/pf.conf
set skip on lo0
set skip on ral0
set skip on bridge0
match on pppoe0 scrub (max-mss 1440)
match log on pppoe0 inet6
big_scary_world = "!10.0.0.0/16"
inside_network = "10.0.0.0/16"
rfc1918 = "{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }"
int_if = vr1
ext_if = pppoe0
tcp_services = "{ discard, chargen, time, echo, http }"
table <int_nat_src_addr> const { 10.0.0.0/16, !10.0.0.1 }
# ssh backup rule
pass in quick proto tcp from any port { 443 }
# Begin
block in on $ext_if from $big_scary_world
pass on $ext_if proto icmp from any to any
pass on $ext_if proto tcp from any to any port 443
pass on $ext_if proto tcp from any to any port $tcp_services
pass in from $inside_network
pass out on $ext_if from <int_nat_src_addr> to any nat-to 80.101.175.113
pass out from { $ext_if $int_if }
match on pppoe0 proto icmp6
match in on pppoe0 inet6
match out on pppoe0 inet6
#block in on pppoe0 inet6
#pass in on pppoe0 inet6
$ ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33196
priority: 0
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
inet 127.0.0.1 netmask 0xff000000
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:24:cd:7d:f8
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::200:24ff:fecd:7df8%vr0 prefixlen 64 scopeid 0x1
vr1: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
mtu 1500
lladdr 00:00:24:cd:7d:f9
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::200:24ff:fecd:7df9%vr1 prefixlen 64 scopeid 0x2
vr2: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
mtu 1500
lladdr 00:00:24:cd:7d:fa
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::200:24ff:fecd:7dfa%vr2 prefixlen 64 scopeid 0x3
vr3: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
mtu 1500
lladdr 00:00:24:cd:7d:fb
priority: 0
media: Ethernet autoselect (none)
status: no carrier
inet6 fe80::200:24ff:fecd:7dfb%vr3 prefixlen 64 scopeid 0x4
enc0: flags=0<>
priority: 0
groups: enc
status: active
ral0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:12:0e:61:48:98
priority: 4
groups: wlan
media: IEEE802.11 OFDM54 mode 11g hostap (autoselect mode 11g
hostap)
status: active
ieee80211: <snip>
inet6 fe80::212:eff:fe61:4898%ral0 prefixlen 64 scopeid 0x7
vether0:
flags=28943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,NOINET6> mtu
1500
lladdr fe:e1:ba:d0:da:90
priority: 0
groups: vether
media: Ethernet autoselect
status: active
inet 10.0.0.1 netmask 0xffff0000 broadcast 10.0.255.255
pppoe0: flags=8951<UP,POINTOPOINT,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu
1492
priority: 0
dev: vr0 state: session
sid: 0x6 PADI retries: 0 PADR retries: 0 time: 16:40:48
sppp: phase network authproto pap
groups: pppoe egress
status: active
inet 80.101.175.113 --> 194.109.5.213 netmask 0xffffffff
inet6 fe80::200:24ff:fecd:7df8%pppoe0 -> prefixlen 64 scopeid
0x9
inet6 2001:980:3306:0:200:24ff:fecd:7df8 -> prefixlen 64
bridge0: flags=41<UP,RUNNING>
groups: bridge
priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto
rstp
vether0 flags=3<LEARNING,DISCOVER>
port 8 ifpriority 0 ifcost 0
vr1 flags=3<LEARNING,DISCOVER>
port 2 ifpriority 0 ifcost 0
vr2 flags=3<LEARNING,DISCOVER>
port 3 ifpriority 0 ifcost 0
vr3 flags=3<LEARNING,DISCOVER>
port 4 ifpriority 0 ifcost 0
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33196
priority: 0
groups: pflog
pfTop: Up Rule 1-20/20, View: rules, Cache: 10000
14:51:23
RULE ACTION DIR LOG Q IF PR K PKTS BYTES STATES
MAX INFO
0 Match Any pppoe0 263 126141 0
all max-mss 1440
1 Match Any Log pppoe0 45 4680 0
inet6 all
2 Pass In Q tcp K 0 0 0
from any port = https to any flags S/SA
3 Block In pppoe0 1 40 0
drop inet from ! 10.0.0.0/16 to any
4 Pass Any pppoe0 tcp K 0 0 0
from any to any port = https flags S/SA
5 Pass Any pppoe0 tcp K 0 0 0
from any to any port = discard flags S/SA
6 Pass Any pppoe0 tcp K 0 0 0
from any to any port = chargen flags S/SA
7 Pass Any pppoe0 tcp K 0 0 0
from any to any port = time flags S/SA
8 Pass Any pppoe0 tcp K 0 0 0
from any to any port = echo flags S/SA
9 Pass Any pppoe0 tcp K 206 120141 9
from any to any port = www flags S/SA
10 Pass Any pppoe0 icmp K 0 0 0
all
11 Pass In K 0 0 0
inet from 10.0.0.0/16 to any flags S/SA
12 Pass Out pppoe0 K 0 0 0
inet from <int_nat_src_addr> to any flags S/SA
13 Pass Out pppoe0 K 0 0 0
inet6 from fe80::200:24ff:fecd:7df8/128 to any flags S/SA
14 Pass Out K 45 4680 45
inet6 from 2001:980:3306:0:200:24ff:fecd:7df8/128 to any flags S/SA
15 Pass Out vr1 K 0 0 0
inet6 from fe80::200:24ff:fecd:7df9/128 to any flags S/SA
16 Pass Out K 12 1320 6
inet from 80.101.175.113/32 to any flags S/SA
17 Match In pppoe0 0 0 0
inet6 all
18 Match Out pppoe0 45 4680 0
inet6 all
19 Match Any pppoe0 ipv6-icmp 45 4680 0
all