IPv6 forwarding in 2.5 RC unexpectedly broken
-
After doing a clean install of 2.5 (and importing my 2.4 config) suddenly IPv6 forwarding, specifically, no longer works as expected.
I've got
- lagg0.31 ("GENERAL") with inet6 2620:42:c000::1 prefixlen 64,
- lagg0.36 ("HEXTET0") with inet6 2620:132:3002:100d::2 prefixlen 124
IPv6 routes
- default 2620:132:3002:100d::1 UGS lagg0.36
No NPt rules configured whatsoever.
Rules on GENERAL consist only of
- Enabled / IPv4+IPv6 / Source: GENERAL / Port * / Dest * / Gw * / Q none
and on HEXTET0:
- only the anti-lockout rule
From a PC on VLAN 31, I can ping the firewall. Traffic shows up and looks 100% normal in tcpdump. I can ping any up interface on the firewall, not just the link-specific IP.
From the firewall, I can ping my next-hop, and beyond. Traffic shows up and looks 100% normal in tcpdump.
From that same PC on VLAN 31, when I ping anything beyond the firewall, I get... nothing. No ICMP unreachable, just timeouts.
Also:
- IPv4 appears to work correctly.
- Unbound is broken when accessed over IPv6, so I switched from DNS Resolver to DNS Forwarder, which appears to work correectly.
Basically, this worked in 2.4.<latest>, and now appears to be broken in 2.5 RC. Did something change that I haven't taken into account? Or is this a bug? Or something somewhere in between?
-Adam
-
More information:
- net.inet6.ip6.forwarding is (still) set to 1. Changing it to 0 and back to 1 has no effect.
- pfctl -d / pfctl -e has no effect, in any order, so it's not a pf rule problem
-
Found it. I advertise my routes via BGP. There's no OpenBGPd package in 2.5 RC. So, I'm not advertising my routes anymore
. Never even occurred to me... *&^%$#@!Guess I'll install FRR and try that out now, whether I wanted to or not.