After upgrading pfSense from 2.7.2 to 2.8.0 I suddenly get ~30% packet loss on IPv6

NerLOR

Hello!

After upgrading pfSense from 2.7.2 to 2.8.0 I noticed, that my OpenVPN connection (over IPv6) behaved weirdly. I investigated further and noticed, that over IPv4 everything works just fine. My observations are: When using IPv6 (ICMP/TCP/UDP) on any internal network, everything works also fine. But when sending from a global IPv6 address, I get around 30% packet loss.

When I "Disable all packet filtering" in the advanced system settings the issue goes away. After re-enabling pf the ~30% packet loss return (as always, only on IPv6 packets from "outside"). The issue also persists after rebooting the device. I use primarily NAT via port forwarding (also for IPv6), but the issue also occurs on ICMPv6 pings targeted at the WAN interface of the firewall itself.

Has anyone an idea, if I missed something? Or has this issue really been introduced by 2.8.0?

Best Regards
Lorenz

rvadi

@NerLOR

I faced a similar issue as well. My observation was the NICs in 2.8.0 seem to be configured for IPV6 Neighbor solicitation every 30 secs, while this occurs, and pfsense either processes it or does something the NIC can no longer forward traffic including the dpinger pings, or any other traffic, after a brief delay for 7-8 seconds the connectivity resumes.

I did a bit of research and figured out that this is controlled via the command NDP, which can enable or disable Neighbor Unreachability Detection that is enabled on the NIC. The following command will disable NUD, and the NDP entry will expire in 24 hours, as opposed to every 30 secs.

/usr/sbin/ndp -i <int device> -- -nud

Additionally I put a script in /usr/local/etc/rc.d that will also execute the command on a reboot.

I hope this helps, let me know if it worked for you.

Raj

NerLOR

@rvadi

Thank you for your response, the ndp -i igb0 -- -nud command works for me!

Nevertheless, it seems, that this NUD/NDP behavior is not intended... I hope, this will get fixed in a future update.

pst

@rvadi said in After upgrading pfSense from 2.7.2 to 2.8.0 I suddenly get ~30% packet loss on IPv6:

while this occurs, and pfsense either processes it or does something the NIC can no longer forward traffic including the dpinger pings, or any other traffic, after a brief delay for 7-8 seconds the connectivity resumes.

this sounds serious, perhaps raise a redmine on this? or at least prod someone to take it further... @stephenw10 for example

rvadi

@pst

Did the workaround help? Did you see a change in the behavior?

pst

@rvadi To clarify, I wasn't experiencing the same issue, but reading your post I just felt I needed to make the suggestion to raise it as a bug. It's good with work-arounds, but to me it smells like a bug that needs fixing.

I'm not on 2.8.0, but I am currently beta testing 25.03 which might have the same issue. I don't use the igb interface though, nor openvpn, so I can't help with the debugging.

rvadi

@pst

Will report it as a bug!

Thanks!

Raj

TronixA94724

I ran this command after upgrading from 2.7.2 to 2.8.0, as I started experiencing significant issues with my work VPN connection behind the firewall. Upon checking the connection properties, I noticed that the VPN was attempting to connect through an IPv6 gateway.

What’s particularly strange is that while the VPN would eventually connect, it often required multiple connection attempts before any traffic would actually pass through.

I’m hoping this fix resolves the issue moving forward—fingers crossed for the next time I need to connect.