Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPv6 strangeness

    Scheduled Pinned Locked Moved IPv6
    24 Posts 4 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cmpsalvestrini
      last edited by

      I had an epiphany of storts. What if I use ULA and NPT? I've never looked at that option seriously, but I might consider it now. Of course there is the ultimate irony: That I -- having native IPv6 from my ISP -- be forced to use HE.net's tunnel broker (drumroll).

      Will test & report back.

      JKnottJ 1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott @cmpsalvestrini
        last edited by

        @cmpsalvestrini

        That wouldn't work either. There's be no way for packets to be routed to your LANs.

        I'm on an ISP called Rogers. They provide a /56 via DHCPv6-PD, which provides everything pfSense needs to work with up to 256 /64s. If they receive a packet for one of my /64s, then they forward it to pfSense, which in turn forwards it as appropriate. Without the ISP forwarding traffic, that won't work.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate @awebster
          last edited by

          @awebster Putting a /56 on an interface is complete nonsense and they should be laughed out of existence and ridiculed at every opportunity.

          What ISP/Hosting/colo is this, anyway?

          @cmpsalvestrini said in IPv6 strangeness:

          Prefix is 2001:818.d9d9:ba00::/56 provisioned through DHCPv6.

          Do this:

          Pick an address from some random /64 there like 2001:818.d9d9:bafe::1

          Start a packet capture on your WAN for all IPv6 with 2001:818.d9d9:bafe::1 as the host.

          Find an outside way to ping6 it and ping6 it. (http://www.ipv6now.com.au/pingme.php)

          Stop and examine the packet capture. Do you see ND for that address or ICMP6 arriving to that address as the destination?

          Please also show us the resulting WAN configuration in Status > Interfaces

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • C
            cmpsalvestrini
            last edited by cmpsalvestrini

            @Derelict the ISP is Vodafone Portugal - I may be switching ISPs because of this nonsense. Will do as you ask, & post results.

            Edit - Got the packet capture, I find exactly zero ND on the first run. Doing a second run now, to confirm, with another address.

            Edit #2 - Packet capture done. here are the results.

            °fa-info°(23:08:07.944717 IP6 2001:818:d9d9:ba00:a940:4aec:d1aa:a207.63919 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53: UDP, length 46
            23:08:07.944760 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:a940:4aec:d1aa:a207.63919: UDP, length 12
            23:08:12.698103 IP6 2001:818:d9d9:ba00:a940:4aec:d1aa:a207 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402: ICMP6, neighbor solicitation, who has 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402, length 32
            23:08:12.698120 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402 > 2001:818:d9d9:ba00:a940:4aec:d1aa:a207: ICMP6, neighbor advertisement, tgt is 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402, length 24
            23:08:17.580837 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402 > 2001:818:d9d9:ba00:a940:4aec:d1aa:a207: ICMP6, neighbor solicitation, who has 2001:818:d9d9:ba00:a940:4aec:d1aa:a207, length 32
            23:08:17.582350 IP6 2001:818:d9d9:ba00:a940:4aec:d1aa:a207 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402: ICMP6, neighbor advertisement, tgt is 2001:818:d9d9:ba00:a940:4aec:d1aa:a207, length 32
            23:08:19.840689 IP6 2001:818:d9d9:ba00:a940:4aec:d1aa:a207.60675 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53: UDP, length 55
            23:08:19.840732 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:a940:4aec:d1aa:a207.60675: UDP, length 12
            23:08:19.842781 IP6 2001:818:d9d9:ba00:a940:4aec:d1aa:a207.60675 > 2606:4700:4700::1001.53: UDP, length 55
            23:08:19.842796 IP6 2001:818:d9d9:ba00:a940:4aec:d1aa:a207.60675 > 2606:4700:4700::1001.53: UDP, length 55
            23:08:19.842803 IP6 fe80::6eb3:11ff:fe1b:5402 > 2001:818:d9d9:ba00:a940:4aec:d1aa:a207: ICMP6, redirect, 2606:4700:4700::1001 to fe80::6eb3:11ff:fe1b:5402, length 152
            23:08:29.781571 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.47585 > 2001:4860:4860::8844.53: UDP, length 56
            23:08:29.781910 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.17408 > 2606:4700:4700::1111.53: UDP, length 56
            23:08:29.785855 IP6 2606:4700:4700::1111.53 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.17408: UDP, length 220
            23:08:29.822875 IP6 2001:4860:4860::8844.53 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.47585: UDP, length 220
            23:08:29.823033 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.60656 > 2001:4860:4860::8844.53: UDP, length 51
            23:08:29.856275 IP6 2001:4860:4860::8844.53 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.60656: UDP, length 136
            23:08:31.983364 IP6 2001:818:d9d9:ba00:265e:beff:fe1e:8b45.37127 > 2001:818:d9d9:ba01::1.53: UDP, length 42
            23:08:31.983406 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:265e:beff:fe1e:8b45.37127: UDP, length 12
            23:08:31.983415 IP6 2001:818:d9d9:ba02:265e:beff:fe1e:8b45.37127 > 2606:4700:4700::1111.53: UDP, length 42
            23:08:31.983427 IP6 2001:818:d9d9:ba02:265e:beff:fe1e:8b45.37127 > 2606:4700:4700::1001.53: UDP, length 42
            23:08:31.983427 IP6 2001:818:d9d9:ba02:265e:beff:fe1e:8b45.37127 > 2606:4700:4700::1111.53: UDP, length 42
            23:08:31.983438 IP6 2001:818:d9d9:ba02:265e:beff:fe1e:8b45.37127 > 2606:4700:4700::1001.53: UDP, length 42
            23:08:31.983444 IP6 2001:818:d9d9:ba00:265e:beff:fe1e:8b45.37127 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53: UDP, length 42
            23:08:31.983458 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:265e:beff:fe1e:8b45.37127: UDP, length 12
            23:08:36.920056 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402 > 2001:818:d9d9:ba00:265e:beff:fe1e:8b45: ICMP6, neighbor solicitation, who has 2001:818:d9d9:ba00:265e:beff:fe1e:8b45, length 32
            23:08:36.920151 IP6 2001:818:d9d9:ba00:265e:beff:fe1e:8b45 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402: ICMP6, neighbor advertisement, tgt is 2001:818:d9d9:ba00:265e:beff:fe1e:8b45, length 24
            23:08:36.993102 IP6 fe80::265e:beff:fe1e:8b45 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402: ICMP6, neighbor solicitation, who has 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402, length 32
            23:08:50.089195 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.51647 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53: UDP, length 34
            23:08:50.089233 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c.51647: UDP, length 12
            23:08:50.089293 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.62184 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53: UDP, length 34
            23:08:50.089308 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c.62184: UDP, length 12
            23:08:50.089401 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.59579 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53: UDP, length 39
            23:08:50.089410 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c.59579: UDP, length 12
            23:08:50.089515 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.65012 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53: UDP, length 39
            23:08:50.089533 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c.65012: UDP, length 12
            23:08:50.107520 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.54771 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53: UDP, length 32
            23:08:50.107531 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c.54771: UDP, length 12
            23:08:50.108276 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.49608 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53: UDP, length 32
            23:08:50.108289 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c.49608: UDP, length 12
            23:08:50.117670 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.58438 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53: UDP, length 42
            23:08:50.117682 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c.58438: UDP, length 12
            23:08:50.118107 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.55657 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53: UDP, length 42
            23:08:50.118116 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c.55657: UDP, length 12
            23:08:50.120082 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402: ICMP6, destination unreachable, unreachable port, 2001:818:d9d9:ba00:2158:328a:6bd:e98c udp port 58438, length 68
            23:08:50.120087 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402: ICMP6, destination unreachable, unreachable port, 2001:818:d9d9:ba00:2158:328a:6bd:e98c udp port 55657, length 68
            23:08:50.178559 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.59034 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53: UDP, length 34
            23:08:50.178571 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c.59034: UDP, length 12
            23:08:50.179713 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.63271 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53: UDP, length 34
            23:08:50.179724 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c.63271: UDP, length 12
            23:08:50.733725 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.53185 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53: UDP, length 42
            23:08:50.733765 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c.53185: UDP, length 12
            23:08:50.734117 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.58430 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53: UDP, length 42
            23:08:50.734133 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c.58430: UDP, length 12
            23:08:51.179880 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.59034 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53: UDP, length 34
            23:08:51.179897 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c.59034: UDP, length 12
            23:08:51.179908 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.63271 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53: UDP, length 34
            23:08:51.179919 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c.63271: UDP, length 12
            23:08:51.741577 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.53185 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53: UDP, length 42
            23:08:51.741588 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c.53185: UDP, length 12
            23:08:51.741685 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.58430 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53: UDP, length 42
            23:08:51.741696 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c.58430: UDP, length 12
            23:08:52.686759 IP6 2001:818:d9d9:ba00:265e:beff:fe1e:8b45.37127 > 2001:818:d9d9:ba01::1.53: UDP, length 42
            23:08:52.686782 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:265e:beff:fe1e:8b45.37127: UDP, length 12
            23:08:52.686805 IP6 2001:818:d9d9:ba02:265e:beff:fe1e:8b45.37127 > 2606:4700:4700::1111.53: UDP, length 42
            23:08:52.686810 IP6 2001:818:d9d9:ba02:265e:beff:fe1e:8b45.37127 > 2606:4700:4700::1111.53: UDP, length 42
            23:08:52.686817 IP6 2001:818:d9d9:ba02:265e:beff:fe1e:8b45.37127 > 2606:4700:4700::1001.53: UDP, length 42
            23:08:52.686823 IP6 2001:818:d9d9:ba02:265e:beff:fe1e:8b45.37127 > 2606:4700:4700::1001.53: UDP, length 42
            23:08:52.686857 IP6 2001:818:d9d9:ba00:265e:beff:fe1e:8b45.37127 > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53: UDP, length 42
            23:08:52.686870 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402.53 > 2001:818:d9d9:ba00:265e:beff:fe1e:8b45.37127: UDP, length 12
            23:08:53.015682 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.52059 > 2a01:b740:a41:401::a.443: tcp 0
            23:08:53.015698 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.52059 > 2a01:b740:a41:401::a.443: tcp 0
            23:08:53.015705 IP6 fe80::6eb3:11ff:fe1b:5402 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c: ICMP6, redirect, 2a01:b740:a41:401::a to fe80::6eb3:11ff:fe1b:5402, length 136
            23:08:53.278807 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.52060 > 2a01:b740:a41:409::5.443: tcp 0
            23:08:53.278817 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.52060 > 2a01:b740:a41:409::5.443: tcp 0
            23:08:53.278821 IP6 fe80::6eb3:11ff:fe1b:5402 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c: ICMP6, redirect, 2a01:b740:a41:409::5 to fe80::6eb3:11ff:fe1b:5402, length 136
            23:08:53.531285 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.52061 > 2a01:b740:a41:401::7.443: tcp 0
            23:08:53.531307 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.52061 > 2a01:b740:a41:401::7.443: tcp 0
            23:08:53.531314 IP6 fe80::6eb3:11ff:fe1b:5402 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c: ICMP6, redirect, 2a01:b740:a41:401::7 to fe80::6eb3:11ff:fe1b:5402, length 136
            23:08:53.763758 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402: ICMP6, neighbor solicitation, who has 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402, length 32
            23:08:53.763772 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c: ICMP6, neighbor advertisement, tgt is 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402, length 24
            23:08:54.396038 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.52062 > 2a01:b740:a41:102::4.443: tcp 0
            23:08:54.396049 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.52062 > 2a01:b740:a41:102::4.443: tcp 0
            23:08:54.396053 IP6 fe80::6eb3:11ff:fe1b:5402 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c: ICMP6, redirect, 2a01:b740:a41:102::4 to fe80::6eb3:11ff:fe1b:5402, length 136
            23:08:54.653744 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.52063 > 2a01:b740:a41:107::d.443: tcp 0
            23:08:54.653753 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.52063 > 2a01:b740:a41:107::d.443: tcp 0
            23:08:54.653756 IP6 fe80::6eb3:11ff:fe1b:5402 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c: ICMP6, redirect, 2a01:b740:a41:107::d to fe80::6eb3:11ff:fe1b:5402, length 136
            23:08:54.791802 IP6 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c: ICMP6, neighbor solicitation, who has 2001:818:d9d9:ba00:2158:328a:6bd:e98c, length 32
            23:08:54.794227 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c > 2001:818:d9d9:ba00:6eb3:11ff:fe1b:5402: ICMP6, neighbor advertisement, tgt is 2001:818:d9d9:ba00:2158:328a:6bd:e98c, length 24
            23:08:54.911315 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.52064 > 2a01:b740:a41:107::15.443: tcp 0
            23:08:54.911320 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.52064 > 2a01:b740:a41:107::15.443: tcp 0
            23:08:54.911322 IP6 fe80::6eb3:11ff:fe1b:5402 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c: ICMP6, redirect, 2a01:b740:a41:107::15 to fe80::6eb3:11ff:fe1b:5402, length 136
            23:08:56.262095 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.52065 > 2a00:1450:400c:c00::6c.993: tcp 0
            23:08:56.262108 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.52065 > 2a00:1450:400c:c00::6c.993: tcp 0
            23:08:56.262112 IP6 fe80::6eb3:11ff:fe1b:5402 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c: ICMP6, redirect, 2a00:1450:400c:c00::6c to fe80::6eb3:11ff:fe1b:5402, length 136
            23:08:56.292762 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.52066 > 2a00:1450:400c:c07::6c.993: tcp 0
            23:08:56.292771 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.52066 > 2a00:1450:400c:c07::6c.993: tcp 0
            23:08:56.292775 IP6 fe80::6eb3:11ff:fe1b:5402 > 2001:818:d9d9:ba00:2158:328a:6bd:e98c: ICMP6, redirect, 2a00:1450:400c:c07::6c to fe80::6eb3:11ff:fe1b:5402, length 136
            23:08:56.584227 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.52067 > 2a00:1450:400c:c07::6c.993: tcp 0
            23:08:56.584250 IP6 2001:818:d9d9:ba00:2158:328a:6bd:e98c.52067 > 2a00:1450:400c:c07::6c.993: tcp 0)

            JKnottJ 1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              You didn't filter on the specific host so I have no idea what I'm looking at there.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • C
                cmpsalvestrini
                last edited by

                @Derelict

                Attempted to, packet capture returned blank when I did.

                awebsterA 1 Reply Last reply Reply Quote 0
                • JKnottJ
                  JKnott @cmpsalvestrini
                  last edited by

                  @cmpsalvestrini said in IPv6 strangeness:

                  I find exactly zero ND on the first run.

                  I see several. ND stands for Neighbor Discovery. It's the IPv6 equivalent of ARP. I see both Neighbor Solicitation and Neigbor Advertisement in your capture. Those are the equivalent of ARP request and reply. Do any of those contain the address you pinged? Also, it's easier to download the capture and use Wireshark to read it.

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  1 Reply Last reply Reply Quote 0
                  • awebsterA
                    awebster @cmpsalvestrini
                    last edited by awebster

                    @cmpsalvestrini You need to be specifically looking for ICMP6 neighbor solicitation messages, simply trying to capture while filtering for the host won't show anything because it hasn't been found yet (ie: it doesn't exist), consequently the capture will show nothing.
                    You are basically looking for the IPv6 equivalent of an ARP WHO-HAS message.
                    Here is an example of what that actually looks like IRL, but let me set the stage...

                    Host xxxx:yyyy:zzzz:e001::4:9, MAC address: 00:0c:29:cb:fd:01
                    Host xxxx:yyyy:zzzz:e001::4:61, MAC address: 00:0c:29:d7:c8:44
                    ::4:9 has not talked to ::4:61 recently, so needs to figure out how to do that.
                    All Ethernet communication is ultimately Layer 2 based, Layer 3 stuff comes after the hosts have figured out how to reach each other.

                    08:38:22.234952 00:0c:29:cb:fd:01 > 33:33:ff:04:00:61, ethertype IPv6 (0x86dd), length 86: xxxx:yyyy:zzzz:e001::4:9 > ff02::1:ff04:61: ICMP6, neighbor solicitation, who has xxxx:yyyy:zzzz:e001::4:61, length 32

08:38:22.234973 00:0c:29:d7:c8:44 > 00:0c:29:cb:fd:01, ethertype IPv6 (0x86dd), length 86: xxxx:yyyy:zzzz:e001::4:61 > xxxx:yyyy:zzzz:e001::4:9: ICMP6, neighbor advertisement, tgt is xxxx:yyyy:zzzz:e001::4:61, length 32

                    In the above capture, you can see host xxxx:yyyy:zzzz:e001::4:9 wanting to communicate with xxxx:yyyy:zzzz:e001::4:61, but it doesn't yet know where to send the packets, so it asks...
                    Since ..::4:9 doesn't know the Layer 2 MAC address to which to send the packets to, it starts off with a multicast packet to a special IPv6 multicast address composed of the last 24 bits of the IPv6 address (ff02::1:ff00/104 which maps to a Layer 2 multicast address 33:33:ff:xx:xx:xx) - see RFC4291. All devices on the same broadcast domain will hear this message, but presumably there are very few that will actually act on it, and only one will match exactly and trigger a response.
                    The response packet is an ICMP6 neighbor advertisement back to the sender, thus the sender learns the MAC address to which to direct further traffic.

                    If there is no response to an ICMP6 neighbor solicitation message, traffic shall not pass! 😉

                    Edit - What the ND Proxy will do in cases where the desired destination is not on the same subnet is respond to that ICMP6 neighbor solicitation message on behalf of devices on the other side of the router, so that the traffic is actually delivered.

                    –A.

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      @awebster You need to be specifically looking for ICMP6 neighbor solicitation messages

                      Ah I didn't test it. I know you will capture ARP if you filter on a host address. Guess I have never looked for ND the same way.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      awebsterA 1 Reply Last reply Reply Quote 0
                      • awebsterA
                        awebster @Derelict
                        last edited by

                        @Derelict You had me second guessing myself...
                        I had always used the icmp6 filter on tcpdump, but then I tried out what you had suggested, and it did appear to work when specifying host... but that was on a Linux host.
                        On pfSense, tcpdump does not show anything when specifying host for a non-existent host, only icmp6 shows the ND Solicit messages.
                        Clearly, the tcpdump parsers are different!

                        pfSense 2.4.4-p3
                        tcpdump version 4.9.2
                        libpcap version 1.8.1

                        Linux CentOS 6.10:
                        tcpdump version 4.1-PRE-CVS_2017_03_21
                        libpcap version 1.4.0

                        –A.

                        1 Reply Last reply Reply Quote 0
                        • C
                          cmpsalvestrini
                          last edited by

                          Dear all,

                          Thank you. I will keep plugging at this; will keep posted as need arises.

                          Cheers!

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.