Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPv6 strangeness

    Scheduled Pinned Locked Moved IPv6
    24 Posts 4 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • awebsterA
      awebster @Derelict
      last edited by

      @Derelict, I too agree that IPv6 networks should be provisioned properly.
      My observation is that the problem at its root is not one of technology, but one of human nature, namely the path of least resistance. Consider these two juxtaposed statements:

      • If the provider can save time and money by rolling out their IPv6 addressing in a way that removes the need for them to have to configure additional routing in their devices, surely they will choose that path.
      • Similarly, if the pfSense developers choose to save time and effort by not including an ND Proxy functionality because the problem affects a tiny subset of their installed base, surely they will also choose that path.

      I am unaware of any RFC document that clearly states that one MUST NOT use an ND Proxy in their network, consequently, the provider is free to choose to use that methodology of reaching their downstream clients.
      Furthermore, the official reference to ND Proxy, RFC 4389 "Neighbor Discovery Proxies (ND Proxy)" section 1.3, states that the ND Proxy is inapplicable "when configuration of the router can (emphasis mine) be done". Notice that the RFC itself doesn't use the terminology from BPC 14, RFC 2119 to which it refers in the very next section.
      By using the word "can", it leads to confusion as to the applicability of that very statement. The provider could argue they "can't" make configuration changes to their router for any number of operational reasons, thus justifying the requirement for use of an ND Proxy.
      Additionally, if the Modem/ONT/box the providers typically install have a working ND Proxy solution, it's a pretty sure bet that they aren't going to lift a finger to do it "the right way".
      In all honesty, the provider doesn't care if the customer has to go look elsewhere for "proper" connectivity, sadly there isn't a critical mass of pfSense users to make a difference.

      On this topic, I'm having déjà vu, but aside from it being an ideological issue, does it really hurt anyone to implement the functionality?

      –A.

      DerelictD 1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott @cmpsalvestrini
        last edited by

        @cmpsalvestrini said in IPv6 strangeness:

        Philosophically, I feel that this routing nonsense on part of ISPs is due to them still thinking of IPv6 in terms of addresses instead of subnets.

        Philosophically, nothing. Factually, they're clueless. They can't expect anyone to put a /56 directly on a LAN. That might work with a /64, but not /56.

        If they provide a /56, they have to be able to route to it and leave it to you to split it into /64s.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • C
          cmpsalvestrini
          last edited by

          I had an epiphany of storts. What if I use ULA and NPT? I've never looked at that option seriously, but I might consider it now. Of course there is the ultimate irony: That I -- having native IPv6 from my ISP -- be forced to use HE.net's tunnel broker (drumroll).

          Will test & report back.

          JKnottJ 1 Reply Last reply Reply Quote 0
          • JKnottJ
            JKnott @cmpsalvestrini
            last edited by

            @cmpsalvestrini

            That wouldn't work either. There's be no way for packets to be routed to your LANs.

            I'm on an ISP called Rogers. They provide a /56 via DHCPv6-PD, which provides everything pfSense needs to work with up to 256 /64s. If they receive a packet for one of my /64s, then they forward it to pfSense, which in turn forwards it as appropriate. Without the ISP forwarding traffic, that won't work.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate @awebster
              last edited by

              @awebster Putting a /56 on an interface is complete nonsense and they should be laughed out of existence and ridiculed at every opportunity.

              What ISP/Hosting/colo is this, anyway?

              @cmpsalvestrini said in IPv6 strangeness:

              Prefix is 2001:818.d9d9:ba00::/56 provisioned through DHCPv6.

              Do this:

              Pick an address from some random /64 there like 2001:818.d9d9:bafe::1

              Start a packet capture on your WAN for all IPv6 with 2001:818.d9d9:bafe::1 as the host.

              Find an outside way to ping6 it and ping6 it. (http://www.ipv6now.com.au/pingme.php)

              Stop and examine the packet capture. Do you see ND for that address or ICMP6 arriving to that address as the destination?

              Please also show us the resulting WAN configuration in Status > Interfaces

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • C
                cmpsalvestrini
                last edited by cmpsalvestrini

                @Derelict the ISP is Vodafone Portugal - I may be switching ISPs because of this nonsense. Will do as you ask, & post results.

                Edit - Got the packet capture, I find exactly zero ND on the first run. Doing a second run now, to confirm, with another address.

                Edit #2 - Packet capture done. here are the results.

                °fa-info°(23:08:07.944717 IP6 2001:818:d9d9:ba00:a940:4aec:d1aa:a207.63919 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53: UDP, length 46
                23:08:07.944760 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:a940:4aec:d1aa:a207.63919: UDP, length 12
                23:08:12.698103 IP6 2001:818:d9d9:ba00:a940:4aec:d1aa:a207 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402: ICMP6, neighbor solicitation, who has 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402, length 32
                23:08:12.698120 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402 > 2001:818:d9d9:ba00:a940:4aec:d1aa:a207: ICMP6, neighbor advertisement, tgt is 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402, length 24
                23:08:17.580837 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402 > 2001:818:d9d9:ba00:a940:4aec:d1aa:a207: ICMP6, neighbor solicitation, who has 2001:818:d9d9:ba00:a940:4aec:d1aa:a207, length 32
                23:08:17.582350 IP6 2001:818:d9d9:ba00:a940:4aec:d1aa:a207 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402: ICMP6, neighbor advertisement, tgt is 2001:818:d9d9:ba00:a940:4aec:d1aa:a207, length 32
                23:08:19.840689 IP6 2001:818:d9d9:ba00:a940:4aec:d1aa:a207.60675 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53: UDP, length 55
                23:08:19.840732 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:a940:4aec:d1aa:a207.60675: UDP, length 12
                23:08:19.842781 IP6 2001:818:d9d9:ba00:a940:4aec:d1aa:a207.60675 > 2606:4700:4700::1001.53: UDP, length 55
                23:08:19.842796 IP6 2001:818:d9d9:ba00:a940:4aec:d1aa:a207.60675 > 2606:4700:4700::1001.53: UDP, length 55
                23:08:19.842803 IP6 fe80::6eb3:11ff:fe1b:5402 > 2001:818:d9d9:ba00:a940:4aec:d1aa:a207: ICMP6, redirect, 2606:4700:4700::1001 to fe80::6eb3:11ff:fe1b:5402, length 152
                23:08:29.781571 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.47585 > 2001:4860:4860::8844.53: UDP, length 56
                23:08:29.781910 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.17408 > 2606:4700:4700::1111.53: UDP, length 56
                23:08:29.785855 IP6 2606:4700:4700::1111.53 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.17408: UDP, length 220
                23:08:29.822875 IP6 2001:4860:4860::8844.53 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.47585: UDP, length 220
                23:08:29.823033 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.60656 > 2001:4860:4860::8844.53: UDP, length 51
                23:08:29.856275 IP6 2001:4860:4860::8844.53 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.60656: UDP, length 136
                23:08:31.983364 IP6 2001:818:d9d9:ba00:265e:beff:fe1e:8b45.37127 > 2001:818:d9d9:ba01::1.53: UDP, length 42
                23:08:31.983406 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:265e:beff:fe1e:8b45.37127: UDP, length 12
                23:08:31.983415 IP6 2001:818:d9d9:ba02:265e:beff:fe1e:8b45.37127 > 2606:4700:4700::1111.53: UDP, length 42
                23:08:31.983427 IP6 2001:818:d9d9:ba02:265e:beff:fe1e:8b45.37127 > 2606:4700:4700::1001.53: UDP, length 42
                23:08:31.983427 IP6 2001:818:d9d9:ba02:265e:beff:fe1e:8b45.37127 > 2606:4700:4700::1111.53: UDP, length 42
                23:08:31.983438 IP6 2001:818:d9d9:ba02:265e:beff:fe1e:8b45.37127 > 2606:4700:4700::1001.53: UDP, length 42
                23:08:31.983444 IP6 2001:818:d9d9:ba00:265e:beff:fe1e:8b45.37127 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53: UDP, length 42
                23:08:31.983458 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:265e:beff:fe1e:8b45.37127: UDP, length 12
                23:08:36.920056 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402 > 2001:818:d9d9:ba00:265e:beff:fe1e:8b45: ICMP6, neighbor solicitation, who has 2001:818:d9d9:ba00:265e:beff:fe1e:8b45, length 32
                23:08:36.920151 IP6 2001:818:d9d9:ba00:265e:beff:fe1e:8b45 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402: ICMP6, neighbor advertisement, tgt is 2001:818:d9d9:ba00:265e:beff:fe1e:8b45, length 24
                23:08:36.993102 IP6 fe80::265e:beff:fe1e:8b45 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402: ICMP6, neighbor solicitation, who has 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402, length 32
                23:08:50.089195 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.51647 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53: UDP, length 34
                23:08:50.089233 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c.51647: UDP, length 12
                23:08:50.089293 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.62184 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53: UDP, length 34
                23:08:50.089308 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c.62184: UDP, length 12
                23:08:50.089401 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.59579 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53: UDP, length 39
                23:08:50.089410 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c.59579: UDP, length 12
                23:08:50.089515 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.65012 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53: UDP, length 39
                23:08:50.089533 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c.65012: UDP, length 12
                23:08:50.107520 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.54771 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53: UDP, length 32
                23:08:50.107531 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c.54771: UDP, length 12
                23:08:50.108276 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.49608 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53: UDP, length 32
                23:08:50.108289 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c.49608: UDP, length 12
                23:08:50.117670 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.58438 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53: UDP, length 42
                23:08:50.117682 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c.58438: UDP, length 12
                23:08:50.118107 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.55657 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53: UDP, length 42
                23:08:50.118116 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c.55657: UDP, length 12
                23:08:50.120082 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402: ICMP6, destination unreachable, unreachable port, 2001:818:d9d9:ba00:2158:328a:6bd:e98c udp port 58438, length 68
                23:08:50.120087 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402: ICMP6, destination unreachable, unreachable port, 2001:818:d9d9:ba00:2158:328a:6bd:e98c udp port 55657, length 68
                23:08:50.178559 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.59034 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53: UDP, length 34
                23:08:50.178571 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c.59034: UDP, length 12
                23:08:50.179713 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.63271 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53: UDP, length 34
                23:08:50.179724 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c.63271: UDP, length 12
                23:08:50.733725 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.53185 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53: UDP, length 42
                23:08:50.733765 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c.53185: UDP, length 12
                23:08:50.734117 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.58430 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53: UDP, length 42
                23:08:50.734133 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c.58430: UDP, length 12
                23:08:51.179880 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.59034 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53: UDP, length 34
                23:08:51.179897 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c.59034: UDP, length 12
                23:08:51.179908 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.63271 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53: UDP, length 34
                23:08:51.179919 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c.63271: UDP, length 12
                23:08:51.741577 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.53185 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53: UDP, length 42
                23:08:51.741588 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c.53185: UDP, length 12
                23:08:51.741685 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.58430 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53: UDP, length 42
                23:08:51.741696 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c.58430: UDP, length 12
                23:08:52.686759 IP6 2001:818:d9d9:ba00:265e:beff:fe1e:8b45.37127 > 2001:818:d9d9:ba01::1.53: UDP, length 42
                23:08:52.686782 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:265e:beff:fe1e:8b45.37127: UDP, length 12
                23:08:52.686805 IP6 2001:818:d9d9:ba02:265e:beff:fe1e:8b45.37127 > 2606:4700:4700::1111.53: UDP, length 42
                23:08:52.686810 IP6 2001:818:d9d9:ba02:265e:beff:fe1e:8b45.37127 > 2606:4700:4700::1111.53: UDP, length 42
                23:08:52.686817 IP6 2001:818:d9d9:ba02:265e:beff:fe1e:8b45.37127 > 2606:4700:4700::1001.53: UDP, length 42
                23:08:52.686823 IP6 2001:818:d9d9:ba02:265e:beff:fe1e:8b45.37127 > 2606:4700:4700::1001.53: UDP, length 42
                23:08:52.686857 IP6 2001:818:d9d9:ba00:265e:beff:fe1e:8b45.37127 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53: UDP, length 42
                23:08:52.686870 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:265e:beff:fe1e:8b45.37127: UDP, length 12
                23:08:53.015682 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.52059 > 2a01:b740:a41:401::a.443: tcp 0
                23:08:53.015698 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.52059 > 2a01:b740:a41:401::a.443: tcp 0
                23:08:53.015705 IP6 fe80::6eb3:11ff:fe1b:5402 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c: ICMP6, redirect, 2a01:b740:a41:401::a to fe80::6eb3:11ff:fe1b:5402, length 136
                23:08:53.278807 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.52060 > 2a01:b740:a41:409::5.443: tcp 0
                23:08:53.278817 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.52060 > 2a01:b740:a41:409::5.443: tcp 0
                23:08:53.278821 IP6 fe80::6eb3:11ff:fe1b:5402 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c: ICMP6, redirect, 2a01:b740:a41:409::5 to fe80::6eb3:11ff:fe1b:5402, length 136
                23:08:53.531285 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.52061 > 2a01:b740:a41:401::7.443: tcp 0
                23:08:53.531307 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.52061 > 2a01:b740:a41:401::7.443: tcp 0
                23:08:53.531314 IP6 fe80::6eb3:11ff:fe1b:5402 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c: ICMP6, redirect, 2a01:b740:a41:401::7 to fe80::6eb3:11ff:fe1b:5402, length 136
                23:08:53.763758 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402: ICMP6, neighbor solicitation, who has 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402, length 32
                23:08:53.763772 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c: ICMP6, neighbor advertisement, tgt is 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402, length 24
                23:08:54.396038 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.52062 > 2a01:b740:a41:102::4.443: tcp 0
                23:08:54.396049 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.52062 > 2a01:b740:a41:102::4.443: tcp 0
                23:08:54.396053 IP6 fe80::6eb3:11ff:fe1b:5402 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c: ICMP6, redirect, 2a01:b740:a41:102::4 to fe80::6eb3:11ff:fe1b:5402, length 136
                23:08:54.653744 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.52063 > 2a01:b740:a41:107::d.443: tcp 0
                23:08:54.653753 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.52063 > 2a01:b740:a41:107::d.443: tcp 0
                23:08:54.653756 IP6 fe80::6eb3:11ff:fe1b:5402 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c: ICMP6, redirect, 2a01:b740:a41:107::d to fe80::6eb3:11ff:fe1b:5402, length 136
                23:08:54.791802 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c: ICMP6, neighbor solicitation, who has 2001:818:d9d9:ba00:2158:328a:6bd:e98c, length 32
                23:08:54.794227 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402: ICMP6, neighbor advertisement, tgt is 2001:818:d9d9:ba00:2158:328a:6bd:e98c, length 24
                23:08:54.911315 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.52064 > 2a01:b740:a41:107::15.443: tcp 0
                23:08:54.911320 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.52064 > 2a01:b740:a41:107::15.443: tcp 0
                23:08:54.911322 IP6 fe80::6eb3:11ff:fe1b:5402 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c: ICMP6, redirect, 2a01:b740:a41:107::15 to fe80::6eb3:11ff:fe1b:5402, length 136
                23:08:56.262095 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.52065 > 2a00:1450:400c:c00::6c.993: tcp 0
                23:08:56.262108 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.52065 > 2a00:1450:400c:c00::6c.993: tcp 0
                23:08:56.262112 IP6 fe80::6eb3:11ff:fe1b:5402 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c: ICMP6, redirect, 2a00:1450:400c:c00::6c to fe80::6eb3:11ff:fe1b:5402, length 136
                23:08:56.292762 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.52066 > 2a00:1450:400c:c07::6c.993: tcp 0
                23:08:56.292771 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.52066 > 2a00:1450:400c:c07::6c.993: tcp 0
                23:08:56.292775 IP6 fe80::6eb3:11ff:fe1b:5402 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c: ICMP6, redirect, 2a00:1450:400c:c07::6c to fe80::6eb3:11ff:fe1b:5402, length 136
                23:08:56.584227 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.52067 > 2a00:1450:400c:c07::6c.993: tcp 0
                23:08:56.584250 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.52067 > 2a00:1450:400c:c07::6c.993: tcp 0)

                JKnottJ 1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  You didn't filter on the specific host so I have no idea what I'm looking at there.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • C
                    cmpsalvestrini
                    last edited by

                    @Derelict

                    Attempted to, packet capture returned blank when I did.

                    awebsterA 1 Reply Last reply Reply Quote 0
                    • JKnottJ
                      JKnott @cmpsalvestrini
                      last edited by

                      @cmpsalvestrini said in IPv6 strangeness:

                      I find exactly zero ND on the first run.

                      I see several. ND stands for Neighbor Discovery. It's the IPv6 equivalent of ARP. I see both Neighbor Solicitation and Neigbor Advertisement in your capture. Those are the equivalent of ARP request and reply. Do any of those contain the address you pinged? Also, it's easier to download the capture and use Wireshark to read it.

                      PfSense running on Qotom mini PC
                      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                      UniFi AC-Lite access point

                      I haven't lost my mind. It's around here...somewhere...

                      1 Reply Last reply Reply Quote 0
                      • awebsterA
                        awebster @cmpsalvestrini
                        last edited by awebster

                        @cmpsalvestrini You need to be specifically looking for ICMP6 neighbor solicitation messages, simply trying to capture while filtering for the host won't show anything because it hasn't been found yet (ie: it doesn't exist), consequently the capture will show nothing.
                        You are basically looking for the IPv6 equivalent of an ARP WHO-HAS message.
                        Here is an example of what that actually looks like IRL, but let me set the stage...

                        Host xxxx:yyyy:zzzz:e001::4:9, MAC address: 00:0c:29:cb:fd:01
                        Host xxxx:yyyy:zzzz:e001::4:61, MAC address: 00:0c:29:d7:c8:44
                        ::4:9 has not talked to ::4:61 recently, so needs to figure out how to do that.
                        All Ethernet communication is ultimately Layer 2 based, Layer 3 stuff comes after the hosts have figured out how to reach each other.

                        08:38:22.234952 00:0c:29:cb:fd:01 > 33:33:ff:04:00:61, ethertype IPv6 (0x86dd), length 86: xxxx:yyyy:zzzz:e001::4:9 > ff02::1:ff04:61: ICMP6, neighbor solicitation, who has xxxx:yyyy:zzzz:e001::4:61, length 32

08:38:22.234973 00:0c:29:d7:c8:44 > 00:0c:29:cb:fd:01, ethertype IPv6 (0x86dd), length 86: xxxx:yyyy:zzzz:e001::4:61 > xxxx:yyyy:zzzz:e001::4:9: ICMP6, neighbor advertisement, tgt is xxxx:yyyy:zzzz:e001::4:61, length 32

                        In the above capture, you can see host xxxx:yyyy:zzzz:e001::4:9 wanting to communicate with xxxx:yyyy:zzzz:e001::4:61, but it doesn't yet know where to send the packets, so it asks...
                        Since ..::4:9 doesn't know the Layer 2 MAC address to which to send the packets to, it starts off with a multicast packet to a special IPv6 multicast address composed of the last 24 bits of the IPv6 address (ff02::1:ff00/104 which maps to a Layer 2 multicast address 33:33:ff:xx:xx:xx) - see RFC4291. All devices on the same broadcast domain will hear this message, but presumably there are very few that will actually act on it, and only one will match exactly and trigger a response.
                        The response packet is an ICMP6 neighbor advertisement back to the sender, thus the sender learns the MAC address to which to direct further traffic.

                        If there is no response to an ICMP6 neighbor solicitation message, traffic shall not pass! 😉

                        Edit - What the ND Proxy will do in cases where the desired destination is not on the same subnet is respond to that ICMP6 neighbor solicitation message on behalf of devices on the other side of the router, so that the traffic is actually delivered.

                        –A.

                        1 Reply Last reply Reply Quote 0
                        • DerelictD
                          Derelict LAYER 8 Netgate
                          last edited by

                          @awebster You need to be specifically looking for ICMP6 neighbor solicitation messages

                          Ah I didn't test it. I know you will capture ARP if you filter on a host address. Guess I have never looked for ND the same way.

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          awebsterA 1 Reply Last reply Reply Quote 0
                          • awebsterA
                            awebster @Derelict
                            last edited by

                            @Derelict You had me second guessing myself...
                            I had always used the icmp6 filter on tcpdump, but then I tried out what you had suggested, and it did appear to work when specifying host... but that was on a Linux host.
                            On pfSense, tcpdump does not show anything when specifying host for a non-existent host, only icmp6 shows the ND Solicit messages.
                            Clearly, the tcpdump parsers are different!

                            pfSense 2.4.4-p3
                            tcpdump version 4.9.2
                            libpcap version 1.8.1

                            Linux CentOS 6.10:
                            tcpdump version 4.1-PRE-CVS_2017_03_21
                            libpcap version 1.4.0

                            –A.

                            1 Reply Last reply Reply Quote 0
                            • C
                              cmpsalvestrini
                              last edited by

                              Dear all,

                              Thank you. I will keep plugging at this; will keep posted as need arises.

                              Cheers!

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.