static IPv6 stuck in DAD after upgrade to 2.5.1
-
After upgrading my firewall from 2.5.0 to 2.5.1, my two dedicated IPv6 interfaces will not finish initializing - they're stuck sending DAD packets to the Solicited Multicast address.
Upper layers think everything is fine - gateway monitoring thinks it's pinging (it's not - tcpdump proves that) but getting no response. Well, true enough, a ping gets no response from the upstream gateways ('cuz it didn't get sent!), but tcpdump on both shows an endless series of NDP DAD queries.
(I think the Solicited Multicast address is wrong, too, but am not 100% sure of that.)
These connections are bridged through a switch (no changes there) which is seeing the MAC addresses from both ends of the connection.
NDP is not working from the other end of the links - my ISP can't get an NDP response from me at all.Setting sysctl net.inet6.ip6.dad_count=0 and rebooting eliminates the DAD problem, which points to a problem somewhere else, as I still don't see any replies whatsoever - something lower-layer is broken. (The new enhanced DAD algorithm was & is in place throughout, I didn't touch that.) Now tcpdump shows an endless series of ND packets, with not a single packet being received, which is highly improbable, nearly impossible - at the very least I should be seeing the ND packets being sent my way. And my switch confirms I am receiving packets on this VLAN (see below), which vanish into /dev/null somehow.
The one weird part of my setup is that all my interfaces run through a LAG to a switch, on VLANs, in a one-armed-router topology. Both IPv6 links connect to a Mikrotik CPE (yes, we understand the SPOF involved, thank you) through that switch.
I'll try moving the two IPv6 links to physical ethernet ports and connecting them directly, and see what happens.
Any ideas? This worked perfectly on 2.5.0, no settings on any devices were changed here, and now post-2.5.1 upgrade it's broken.
Any ideas?
-Adam (call me "Corner Case") Thompson
-
Another weird thing... although tcpdump shows no packets received whatsoever, the interface counters are incrementing.
This seems more like a FreeBSD bug than a pfSense bug, where on earth do I go from here?
-
Nope. Solution for tonight is just disable IPv6 completely and live in IPv4 land. Thankfully this is a small network, I can reboot (or release/renew, or disconnect/reconnect) everything pretty quickly.
I'll try non-VLAN, non-LAG ports tomorrow.