# pkgmir.geo.freebsd.org's IPv6 is broken



## eldaemon (May 29, 2020)

Working with `pkg` is painful right now on a system with IPv6. pkg install, update, etc, has tons of hangs and you have to wait forever for timeouts.


----------



## zirias@ (May 29, 2020)

I don't use binary packages, but did some quick checks:

```
$ host pkgmir.geo.freebsd.org
pkgmir.geo.freebsd.org has address 139.178.72.201
pkgmir.geo.freebsd.org has address 213.138.116.73
pkgmir.geo.freebsd.org has IPv6 address 2604:1380:2000:9501::50:2
pkgmir.geo.freebsd.org has IPv6 address 2001:41c8:112:8300::50:1

$ ping6 2604:1380:2000:9501::50:2
PING6(56=40+8+8 bytes) 2001:470:1f0b:bc9:99::2 --> 2604:1380:2000:9501::50:2
16 bytes from 2604:1380:2000:9501::50:2, icmp_seq=0 hlim=57 time=19.816 ms
16 bytes from 2604:1380:2000:9501::50:2, icmp_seq=1 hlim=57 time=20.366 ms

$ ping6 2001:41c8:112:8300::50:1
PING6(56=40+8+8 bytes) 2001:470:1f0b:bc9:99::2 --> 2001:41c8:112:8300::50:1
16 bytes from 2001:41c8:112:8300::50:1, icmp_seq=0 hlim=52 time=29.500 ms
16 bytes from 2001:41c8:112:8300::50:1, icmp_seq=1 hlim=52 time=30.619 ms

$ telnet 2604:1380:2000:9501::50:2 80
Trying 2604:1380:2000:9501::50:2...
Connected to 2604:1380:2000:9501::50:2.
Escape character is '^]'.
^]
telnet> quit
Connection closed.

$ telnet 2604:1380:2000:9501::50:2 443
Trying 2604:1380:2000:9501::50:2...
Connected to 2604:1380:2000:9501::50:2.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
```

So, probably nothing "broken" here. But of course you might end up with other addresses 

I suggest you do some similar testing and then open a PR with details, as I assume you'd like this to be fixed!


----------



## D-FENS (May 29, 2020)

eldaemon said:


> Working with `pkg` is painful right now on a system with IPv6. pkg install, update, etc, has tons of hangs and you have to wait forever for timeouts.


Hanging and timeouts is usually a symptom of bad DNS configuration, according to my experience.
Try debugging your DNS and tracing more information, for example with dig, drill or nslookup.


```
time dig google.com
time dig freebsd.org
time drill google.com
# etc.
```

Also, check if your IP is configured properly:
- IPv6 addresses
- Routing tables

Then make sure the firewall does not cut off some packets.
- Log all your deny rules in the IPFW configuration
- Check /var/log/security if packets are being denied when timeouts happen.


----------



## eldaemon (May 30, 2020)

It might have just been the network I was testing from. IPv6 was fine to most places. It might be just one bad mirror I kept getting over and over.

Either way, the internal timeouts should probably be adjusted.


----------



## D-FENS (Jun 4, 2020)

Having your last reply in mind I think DNS is even more likely to be the cause.
Regarding the timeout-adjustments - timeouts of your connections are (theoretically) independent of your IP version (4 or 6 does not matter) because they are implemented in TCP (or in your UDP applications themselves).
It should make absolutely no difference if IPv6 or IPv4 is used.
I suppose, you could configure the TCP timeouts as described here: https://calomel.org/freebsd_network_tuning.html

```
net.inet.tcp.blackhole=2           # drop tcp packets destined for closed ports (default 0)
net.inet.tcp.drop_synfin=1         # SYN/FIN packets get dropped on initial connection (default 0)
net.inet.tcp.fast_finwait2_recycle=1 # recycle FIN/WAIT states quickly, helps against DoS, but may cause false RST (default 0)
net.inet.tcp.fastopen.client_enable=0 # disable TCP Fast Open client side, enforce three way TCP handshake (default 1, enabled)
net.inet.tcp.fastopen.server_enable=0 # disable TCP Fast Open server side, enforce three way TCP handshake (default 0)
net.inet.tcp.finwait2_timeout=1000 # TCP FIN_WAIT_2 timeout waiting for client FIN packet before state close (default 60000, 60 sec)
net.inet.tcp.icmp_may_rst=0        # icmp may not send RST to avoid spoofed icmp/udp floods (default 1)
net.inet.tcp.keepcnt=2             # amount of tcp keep alive probe failures before socket is forced closed (default 8)
net.inet.tcp.keepidle=62000        # time before starting tcp keep alive probes on an idle, TCP connection (default 7200000, 7200 secs)
net.inet.tcp.keepinit=5000         # tcp keep alive client reply timeout (default 75000, 75 secs)
net.inet.tcp.msl=2500              # Maximum Segment Lifetime, time the connection spends in TIME_WAIT state (default 30000, 2*MSL = 60 sec)
net.inet.tcp.path_mtu_discovery=0  # disable for mtu=1500 as most paths drop ICMP type 3 packets, but keep enabled for mtu=9000 (default 1)
```
What you mean is presumably *finwait2_timeout*.


----------



## eldaemon (Jun 6, 2020)

These are retry timeouts internal to pkg, I believe.

The difference is if you have IPv6 connectivity (default route) and cannot reach the mirror over IPv6, it tries over and over before giving up and trying IPv4.


----------

