Hi, I'm having very similar problems to this, I think. Syspatch'ed OpenBSD 6.5 on an apu4c4, with my ISP-supplied termination device (cable modem, effectively) directly attached to an ethernet interface. No switch. IPv4 works fine. DHCPv6 NA+PD seems to work OK — I get v6 NA & PD assignments — but I can't ping anything beyond my gateway. If I use the ISP-supplied router I have fully functional dualstack networking.
I saw sthen@'s recent post on this topic with his configs included. I adjusted my configs (which were already pretty close) to reflect what he'd done, but no joy :-(. FWIW my ISP is Telstra in Australia. Looking around a bit I found a pfSense discussion wherein the suggestion was to make a config change to what I assume underneath the pfSense UI is FreeBSD's "net.inet6.icmp6.nd6_onlink_ns_rfc4861" sysctl: https://whirlpool.net.au/wiki/pfsense_ipv6_telstra But I also found this old discussion that suggested that OpenBSD's behaviour here — and lack of this particular knob — was a result of a nasty old CVE: https://misc.openbsd.narkive.com/3KdNDcEM/openbsd-ignoring-rfc-compliant-ipv6-neighbor-solicitation#post1 My next discovery step is to boot Debian on my spare apu4c4 and see if it works there, capture some traffic, etc. I don't want to use that as a gateway, though. John On Tue, 30 Jul 2019 at 16:22, Kyle <arad...@tma-0.net> wrote: > Hi all, > > I'm trying to get IPv6 set up on a firewall box running 6.4. I'm using > dhcpcd to get an NA and several PDs, which appears to be working fine, but > no normal v6 traffic can be sent or received. tcpdump on the egress > interface (em3) shows lots of icmp6 neighbor solicits going back and forth, > but no responses from either side: > > > $ ifconfig em3 > em3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > lladdr 0c:c4:7a:ad:2a:e7 > index 4 priority 0 llprio 3 > groups: egress > media: Ethernet autoselect (1000baseT full-duplex) > status: active > inet6 fe80::8dfc:5795:8ab7:e2b%em3 prefixlen 64 scopeid 0x4 > inet <omitted> netmask 0xffffe000 broadcast <omitted> > inet6 2605:a601:fe07:c900::1 prefixlen 128 pltime 64553 vltime > 86153 > > > $ tcpdump -nlp -i em3 ip6 > ... neighbor sol repeating many times ... > 22:46:53.876457 fe80::8dfc:5795:8ab7:e2b > ff02::1:ffea:4ff0: icmp6: > neighbor sol: who has fe80::2d0:f6ff:feea:4ff0 > 22:47:01.876688 fe80::2d0:f6ff:feea:4ff0 > 2605:a601:fe07:c900::1: icmp6: > neighbor sol: who has 2605:a601:fe07:c900::1 [class 0xc0] > 22:47:01.876778 fe80::8dfc:5795:8ab7:e2b > ff02::1:ffea:4ff0: icmp6: > neighbor sol: who has fe80::2d0:f6ff:feea:4ff0 > 22:47:01.877542 fe80::2d0:f6ff:feea:4ff0 > fe80::8dfc:5795:8ab7:e2b: > icmp6: neighbor sol: who has fe80::8dfc:5795:8ab7:e2b [class 0xc0] > 22:47:02.876594 fe80::8dfc:5795:8ab7:e2b > ff02::1:ffea:4ff0: icmp6: > neighbor sol: who has fe80::2d0:f6ff:feea:4ff0 > 22:47:03.876603 fe80::8dfc:5795:8ab7:e2b > ff02::1:ffea:4ff0: icmp6: > neighbor sol: who has fe80::2d0:f6ff:feea:4ff0 > 22:47:32.337233 fe80::8dfc:5795:8ab7:e2b.546 > ff02::1:2.547: dhcp6 > release [hlim 1] > 22:47:32.515413 fe80::2d0:f6ff:feea:4ff0.547 > > fe80::8dfc:5795:8ab7:e2b.546: dhcp6 [class 0xc0] > > > I added "pass quick on em3 inet6" to the top of pf.conf to make sure the > responses aren't being filtered. > > The peer LL address is always marked incomplete: > > $ ndp -na | grep em3 > 2605:a601:fe07:c900::1 0c:c4:7a:ad:2a:e7 em3 permanent R > l > fe80::2d0:f6ff:feea:4ff0%em3 00:d0:f6:ea:51:96 em3 expired I > R > fe80::8dfc:5795:8ab7:e2b%em3 0c:c4:7a:ad:2a:e7 em3 permanent R > l > > > Pinging any v6 address outside my network only results in one > fe80::8dfc:5795:8ab7:e2b > ff02::1:ffea:4ff0: icmp6: neighbor sol: who has > fe80::2d0:f6ff:feea:4ff0 > > per ping sent. > > Routes: > > $ route -n show -inet6 | grep em3 > default fe80::2d0:f6ff:feea:4ff0%em3 UGS 0 53699 - 8 em3 > 2605:a601:fe07:c900::1 0c:c4:7a:ad:2a:e7 UHLl 0 > 1752 - 1 em3 > fe80::%em3/64 fe80::8dfc:5795:8ab7:e2b%em3 UCn 1 1 - 4 > em3 > fe80::2d0:f6ff:feea:4ff0%em3 00:d0:f6:ea:51:96 UHLch 1 > 720183 - 3 em3 > fe80::8dfc:5795:8ab7:e2b%em3 0c:c4:7a:ad:2a:e7 UHLl 0 > 110606 - 1 em3 > ff01::%em3/32 fe80::8dfc:5795:8ab7:e2b%em3 Um 0 3 - 4 > em3 > ff02::%em3/32 fe80::8dfc:5795:8ab7:e2b%em3 Um 0 161322 - 4 > em3 > > > There is a managed switch between the firewall's egress and the ISP, but > it's not doing any packet filtering. I'm currently out of ideas; any > suggestions would be much appreciated. > > >