On 17-08-2015 21:04, Giancarlo Razzolini wrote:
Em 17-08-2015 08:54, Claus Lensbøl escreveu:
pass quick inet6 proto udp from 2a02:188:5002::/48 to
<__automatic_e513959b_6> port = 547
pass quick on lo0 inet6 proto udp from 2a02:188:5002::/48 to fe80::1
port = 547
pass quick on bge0 inet6 proto udp from 2a02:188:5002::/48 to
fe80::8634:97ff:fe11:c494 port = 547
pass quick inet6 proto tcp from 2a02:188:5002::/48 to
<__automatic_e513959b_5> port = 547 flags S/SA
pass quick on lo0 inet6 proto tcp from 2a02:188:5002::/48 to fe80::1
port = 547 flags S/SA
From these rules I see you're filtering on global addresses. But your
machines doesn't have (yet) global addresses, unless they are getting
the address through SLAAC and only is consulting the DHCPv6 server for
dns and prefix delegation information. Either way, can you reach your
clients through link-local addresses? More specifically, try pinging all
hosts using the multicast address:
ping6 fe02::1%<IF>
See if you're getting replies, and if so, from the desired machines.
The next step would be trying to communicate with then, using their
link-local address and some tool like netcat. tcpdump also is your
friend here. That way you can be sure you have network level
communication with them. You can also try to disable PF and turn on ndp
debugging, net.inet6.icmp6.nd6_debug.
Cheers,
Giancarlo Razzolini
It is possible for me to ping the host by the link-local address
and get replies, but not by the multicast address.
# ping6 fe80::20d:b9ff:fe18:e160%vlan710
PING6(56=40+8+8 bytes) fe80::8634:97ff:fe11:c495%vlan710 -->
fe80::20d:b9ff:fe18:e160%vlan710
16 bytes from fe80::20d:b9ff:fe18:e160%vlan710, icmp_seq=0 hlim=64
time=0.669 ms
16 bytes from fe80::20d:b9ff:fe18:e160%vlan710, icmp_seq=1 hlim=64
time=0.223 ms
# ping6 fe02::1%vlan710
ping6: no address associated with name
But yes, I'm only using pf based on the global addresses,
and that might be a problem..
Do you have any good ideas for rules to compensate for this?
Thank you!
Claus
