On Thu, May 19, 2022 at 09:35:53AM -0000, Stuart Henderson wrote: > On 2022-05-19, Jordan Geoghegan <jor...@geoghegan.ca> wrote: > > I've run pfsync + CARP for a number of years now. One interesting > > "gotcha" I discovered when building an IPv6-only test network was that > > pfsync does not work in an IPv6-only environment. I tried both unicast > > and multicast configurations to no avail. When pfsync has a parent > > interface that only has an IPv6 address assigned (ie no IPv4 at all), no > > pfsync traffic transits the interface. Just thought I'd share this > > little tidbit since you were looking for edge cases and gotchas and > > since IPv6 support (or lack thereof) is not mentioned in the manpage. > > That sounds like a bug not an "edge case". To my knowledge nobody ever > reported that, consider writing it up for bugs@.
Connectivity issues in a pure IPv6 environment are often due to NDP packets not being correctly passed. For example, the default firewall ruleset in /etc/rc is supposed to allow basic connectivity such as ssh. However, it breaks IPv6 neighour discovery protocol in at least some situations. I'm not in the office at the moment, so I can't test anything on a current system, but notes I made last year which would have been with 6.8-release: Considering a direct link between two machines with no routing or other network hardware inbetween: Output from ndp -a with the default ruleset: Neighbor Linklayer Address Netif Expire S Flags node1 (incomplete) em0 expired N node2 b4:2e:99:f2:2f:67 em0 permanent R l fe80::b62e:99ff:fef2:2f67%em0 b4:2e:99:f2:2f:67 em0 permanent R l The default ruleset allows neighbour solicitations out and neighbour advertisements in. Adding rules to allow neighbour solicitations in and neighbour advertisements out, fixes the problem.
