No responses to IPv6 "neighbor solicitation who has" with CARP

awebster

Hi,

I have a situation where a pair of pfSense (vm) instances are using CARP, and connected to a WAN as follows:
pfSense #1 WAN IP: WXYZ::1c
pfSense #2 WAN IP: WXYZ::1d
CARP Virtual IP: WXYZ::1e
Gateway (provider): WXYZ::19

On Box#1 (or current master)
ping6 WXYZ::19 works fine, since it uses the real IP

PING6(56=40+8+8 bytes) WXYZ::1c –> WXYZ::19
16 bytes from WXYZ::19, icmp_seq=0 hlim=64 time=2.777 ms
16 bytes from WXYZ::19, icmp_seq=1 hlim=64 time=1.236 ms

But if I ping using the virtual IP as source IP, I get no response

ping6 -S WXYZ::1e WXYZ::19
PING6(56=40+8+8 bytes) WXYZ::1e –> WXYZ::19

Using tcpdump, I do see a neighbor solicitation request shortly after the pinging starts

13:55:32.511551 ethertype IPv6 (0x86dd), length 70: WXYZ::1e > WXYZ::19: ICMP6, echo request, seq 0, length 16
13:55:33.518225 ethertype IPv6 (0x86dd), length 70: WXYZ::1e > WXYZ::19: ICMP6, echo request, seq 1, length 16
13:55:34.517878 ethertype IPv6 (0x86dd), length 70: WXYZ::1e > WXYZ::19: ICMP6, echo request, seq 2, length 16
13:55:37.888764 ethertype IPv6 (0x86dd), length 86: WXYZ::19 > WXYZ::1e: ICMP6, neighbor solicitation, who has WXYZ::1e, length 32

Problem is that despite having IPv6 ICMP allowed (also tried with any) from provider's network to all my real + virtual IP, any type, logging turned on, nothing is recorded in the logs!

So the question is this, should pfSense be responding to the neighbor solicitation, who has request? 
Without that, I don't see how the layer2 is going to be able to figure out where to forward the packet.

Also, from outside source pinging WXYZ::1c and WXYZ::1d works fine, but WXYZ::1e does not.

Suggestions anyone?