# FreeBSD 12 not answering neighbor solicitation



## lory (Jan 7, 2019)

Hi,

I have ipv6 from Hurricane Electric, Mikrotik GW, FreeBSD box on LAN.

FreeBSD have ipv6 static address: 2001:470:1f15:86d::41/64
GW: 2001:470:1f15:86d::1

When trying to ping6 FreeBSD box from internet, Mikrotik sends:

```
13:49:20.783868 IP6 fe80::6e3b:6bff:feac:24b2 > ff02::1:ff00:41: ICMP6, neighbor solicitation, who has 2001:470:1f15:86d::41, length 32
13:49:21.783853 IP6 fe80::6e3b:6bff:feac:24b2 > ff02::1:ff00:41: ICMP6, neighbor solicitation, who has 2001:470:1f15:86d::41, length 32
```

FreeBSD not answer and is not accessible. Linux boxes have no problem, Ubuntu, CentOS, Synology NAS.

This is output from  Mikrotik "/ipv6 neighbor print":

```
0   address=2001:470:1f15:86d::5 interface=ether2 
     mac-address=00:11:32:4B:FC:23 status="reachable" 

 1   address=fe80::211:32ff:fe4b:fc23 interface=ether2 
     mac-address=00:11:32:4B:FC:23 status="stale" 
 
 2   address=2001:470:1f15:86d::41 interface=ether2 status="failed"
```
When I ping6 from FreeBSD box something, then for some time box is reachable until neighbor expired.

Best regards.


----------



## SirDice (Jan 7, 2019)

Do you have a firewall enabled on FreeBSD? That might be blocking the ICMP6 messages.


----------



## lory (Jan 7, 2019)

SirDice said:


> Do you have a firewall enabled on FreeBSD? That might be blocking the ICMP6 messages.


No.

Firewall is on Mikrotik.


----------



## lory (Jan 8, 2019)

If I add ff02::1:ff00:41/104 alias to interface em0 ipv6 works for a while.

ifconfig em0 inet6 ff02::1:ff00:41/104 alias

Then stops and must delete and add again alias.


----------



## VladiBG (Jan 8, 2019)

This is multicast address and you should not add it as alias.
https://www.iana.org/assignments/ipv6-multicast-addresses/ipv6-multicast-addresses.xhtml

How did you configure your ipv6 what is inside in /etc/rc.conf and output of `ifconfig`?


----------



## SirDice (Jan 8, 2019)

I also have a IPv6 tunnel from HE and it's been working fine for the past couple of years. But I have the tunnel terminated on my FreeBSD firewall. So I suspect it's something the Mikrotik does (or fails to do).


----------



## VladiBG (Jan 8, 2019)

i suspect that he's missing fe80:: address on his interface


----------



## SirDice (Jan 8, 2019)

That's actually a good one. lory can you post the output of ifconfig(8)? And what are the relevant bits from rc.conf?


----------



## lory (Jan 9, 2019)

```
ifconfig

em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=81249b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LRO,WOL_MAGIC,VLAN_HWFILTER>
        ether 44:8a:5b:b5:a1:9b
        inet 10.0.0.41 netmask 0xffffff00 broadcast 10.0.0.255
        inet6 fe80::468a:5bff:feb5:a19b%em0 prefixlen 64 scopeid 0x1
        inet6 2001:470:1f15:86d::41 prefixlen 64
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=8021<PERFORMNUD,AUTO_LINKLOCAL,DEFAULTIF>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
```
rc.conf

```
ipv6_gateway_enable="NO"
ipv6_default_interface="em0"
ifconfig_em0_ipv6="inet6 2001:470:1f15:86d::41 prefixlen 64 auto_linklocal"
ipv6_defaultrouter="2001:470:1f15:86d::1"
```
sysctl.conf

```
net.inet6.ip6.forwarding=1
net.inet6.ip6.auto_linklocal=1
```

Before Mikrotik, IPV6 was terminated by FreeBSD and I had no problems.


----------



## VladiBG (Jan 9, 2019)

If this server will no longer act as gateway remove ipv6_gateway_enable in your rc.conf which actually controls sysctl net.inet6.ipv6.forwarding variable so you don't need to explicit enable it in sysctl.conf you can comment out or delete it from sysctl.conf too.
net.inet6.ip6.auto_linklocal sysctl controls the interface auto_linklocal flag and you don't need it either so remove it from your sysctl.conf because on the interfaces which you have ipv6 enabled the linklocal address (fe80:: ) is generated automatically then read here how to setup a static ipv6 on your interface:
_31.9.2. Configuring IPv6_
https://www.freebsd.org/doc/handbook/network-ipv6.html

The rc.conf variable ipv6_default_interface is not needed as it works only if ipv6_gateway_enable is enabled.

---
rc.conf
---
ipv6_gateway_enable="NO"
ipv6_default_interface="em0"
ifconfig_em0_ipv6="inet6 2001:470:1f15:86d::41 prefixlen 64"
ipv6_defaultrouter="2001:470:1f15:86d::1"

sysctl.conf
net.inet6.ip6.forwarding=1
net.inet6.ip6.auto_linklocal=1 

Edit:
also check if default IPv6 gateway is 2001:470:1f15:86d::1 or fe80::01


----------



## lory (Jan 9, 2019)

Nothing changed. The ipv6 still not working.


----------



## VladiBG (Jan 9, 2019)

do you have ping to your gateway?


----------



## lory (Jan 9, 2019)

VladiBG said:


> do you have ping to your gateway?



When i ping GW, the ipv6 works for a while.
When FreeBSD missing in Mikrotik's /ipv6/neighbor table then ipv6 stop working.


----------



## lory (Jan 9, 2019)

This is similar to my case:

https://forum.mikrotik.com/viewtopic.php?t=86253


----------



## SirDice (Jan 9, 2019)

lory said:


> When I ping GW, the ipv6 works for a while.
> When FreeBSD missing in Mikrotik's /ipv6/neighbor table then ipv6 stop working.


That really points to an issue with the Mikrotik. Why would it go missing?

To be honest I don't trust those Mikrotik devices. When I investigate malware bots trying to break into my servers it often turns out to be a hacked Mikrotik router. 

https://www.zdnet.com/article/thousands-of-mikrotik-routers-are-snooping-on-user-traffic/

I'm not saying that's the case with _your_ router, although I do recommend making absolutely sure you have the latest firmware, I simply trust these things about as far as I can throw them.


----------



## lory (Jan 9, 2019)

SirDice said:


> That really points to an issue with the Mikrotik. Why would it go missing?
> 
> To be honest I don't trust those Mikrotik devices. When I investigate malware bots trying to break into my servers it often turns out to be a hacked Mikrotik router.
> 
> ...



I am with latest firmware.
Winbox listen on LAN interface.


----------



## T-Daemon (Jan 9, 2019)

From the FreeBSD side you could do some diagnose with ndp(8), eventually control some settings. I can’t say if the tool is of any use in helping to delimiting the problem, but it won’t hurt to take a look.


----------



## lory (Jan 10, 2019)

Finally:

`/usr/sbin/daemon -f /sbin/ping6 -i 2 -s 1 2001:470:1f15:86d::1`

Not clear, but working


----------



## pos (Jan 11, 2019)

Hi

You say it works on Linux... I know one IPv6 difference between Linux and FreeBSD is that FreeBSD *requires* the gateway IP to fit inside the interface network mask, whereas on Linux it is not a requirement. This causes tons of problems if running in the cloud where the hosting operator often has a big IP block for many customers. A standard setup is that a cusomer get a /64 for his host. Bu the gateways he gets is outside the /64 and fits in a bigger /48. In such setup with FreeBSD, the mask has to be changed to /48 for the routing to work. But this of course could give you connection errors to others within this block.

The RFC standard is not that clear. I have recently logged this as a FreeBSD bug at the bugzilla as I,  as the cloud operators and the Linux community states it is allowed. Also it causes problems...

But... I have not read your thread in detail. So this is maybe not your problem 

/Peo

EDIT:
No, you probably have another issue....


----------

