Hurricane Electric's IPv6 Tunnel Broker Forums

General IPv6 Topics => IPv6 on Linux & BSD & Mac => Topic started by: sebastiannielsen on February 22, 2015, 10:29:30 PM

Title: ICMPv6 issue with pfsense - problem with he tunnel?
Post by: sebastiannielsen on February 22, 2015, 10:29:30 PM
I have one /64 from he.net
Have segmented up this to the following networks:
2001:470:28:1c:1::/80 = lan (RADVD=Managed, DHCPv6 enabled)
2001:470:28:1c:2::/80 = openvpn (RADVD=Router only, DHCPv6 disabled)
2001:470:28:1c:3::/80 = wireless (RADVD=Managed, DHCPv6 enabled)

I found out a strange issue with ICMPv6, and that is that incoming pings from the internet seems to be blocked.
Of course, ICMPv6 is allowed through my firewall. The strange things is that according to my firewall packet capture, the ICMPv6 echo never
reach my firewall.

I guess the problem is at he.net, because when I turn on packet capture in pfsense, "promiscuous mode", and then
listen for all ICMPv6 traffic, and start pinging from a external host (both he.net portscan site - that does ping unless the checkbox is checked, and some other ICMPv6 ping sites), to 2001:470:28:1c:1::6712, I only see this
in the packet capture:

07:16:40.093702 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 40) 2001:470:27:1c::2 > 2001:470:27:1c::1: [icmp6 sum ok] ICMP6, echo request, seq 26890
07:16:40.124868 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 40) 2001:470:27:1c::1 > 2001:470:27:1c::2: [icmp6 sum ok] ICMP6, echo reply, seq 26890
07:16:41.094700 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2001:470:27:1c::2 > 2001:470:27:1c::1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 24, who has 2001:470:27:1c::1
07:16:41.094734 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 40) 2001:470:27:1c::2 > 2001:470:27:1c::1: [icmp6 sum ok] ICMP6, echo request, seq 27146
07:16:41.122571 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2001:470:27:1c::1 > 2001:470:27:1c::2: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is 2001:470:27:1c::1, Flags [router, solicited]
07:16:41.122587 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 40) 2001:470:27:1c::1 > 2001:470:27:1c::2: [icmp6 sum ok] ICMP6, echo reply, seq 27146
07:16:42.112054 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 40) 2001:470:27:1c::2 > 2001:470:27:1c::1: [icmp6 sum ok] ICMP6, echo request, seq 27402
07:16:42.139889 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 40) 2001:470:27:1c::1 > 2001:470:27:1c::2: [icmp6 sum ok] ICMP6, echo reply, seq 27402
07:16:50.192276 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 40) 2001:470:27:1c::2 > 2001:470:27:1c::1: [icmp6 sum ok] ICMP6, echo request, seq 29450
07:16:50.220181 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 40) 2001:470:27:1c::1 > 2001:470:27:1c::2: [icmp6 sum ok] ICMP6, echo reply, seq 29450
07:16:50.588627 IP6 (hlim 58, next-header ICMPv6 (58) payload length: 110) 2001:470:0:90::2 > 2001:470:27:1c::2: [icmp6 sum ok] ICMP6, destination unreachable, unreachable address 2001:470:7:18f::2
07:16:50.811445 IP6 (hlim 58, next-header ICMPv6 (58) payload length: 80) 2001:41d0::b1c > 2001:470:28:1c:1::6712: [icmp6 sum ok] ICMP6, destination unreachable, unreachable address 2001:41d0:8:e8ad::fa11:bac
07:16:50.960882 IP6 (hlim 58, next-header ICMPv6 (58) payload length: 110) 2001:470:0:90::2 > 2001:470:27:1c::2: [icmp6 sum ok] ICMP6, destination unreachable, unreachable address 2001:470:7:18f::2
07:16:51.207138 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 40) 2001:470:27:1c::2 > 2001:470:27:1c::1: [icmp6 sum ok] ICMP6, echo request, seq 29706
07:16:51.235046 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 40) 2001:470:27:1c::1 > 2001:470:27:1c::2: [icmp6 sum ok] ICMP6, echo reply, seq 29706
07:16:53.222522 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 40) 2001:470:27:1c::2 > 2001:470:27:1c::1: [icmp6 sum ok] ICMP6, echo request, seq 30218
07:16:53.250586 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 40) 2001:470:27:1c::1 > 2001:470:27:1c::2: [icmp6 sum ok] ICMP6, echo reply, seq 30218
07:16:53.434586 IP6 (hlim 58, next-header ICMPv6 (58) payload length: 110) 2001:470:0:90::2 > 2001:470:28:1c:1::1: [icmp6 sum ok] ICMP6, destination unreachable, unreachable address 2001:470:7:18f::2
07:16:54.208020 IP6 (hlim 58, next-header ICMPv6 (58) payload length: 110) 2001:470:0:90::2 > 2001:470:27:1c::2: [icmp6 sum ok] ICMP6, destination unreachable, unreachable address 2001:470:7:18f::2
07:16:54.222967 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 40) 2001:470:27:1c::2 > 2001:470:27:1c::1: [icmp6 sum ok] ICMP6, echo request, seq 30474
07:16:54.250816 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 40) 2001:470:27:1c::1 > 2001:470:27:1c::2: [icmp6 sum ok] ICMP6, echo reply, seq 30474
07:16:59.243538 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 40) 2001:470:27:1c::2 > 2001:470:27:1c::1: [icmp6 sum ok] ICMP6, echo request, seq 31754
07:16:59.271369 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 40) 2001:470:27:1c::1 > 2001:470:27:1c::2: [icmp6 sum ok] ICMP6, echo reply, seq 31754
07:16:59.626997 IP6 (hlim 59, next-header ICMPv6 (58) payload length: 76) 2001:41d0::b1c > 2001:470:28:1c:1::6712: [icmp6 sum ok] ICMP6, destination unreachable, unreachable address 2001:41d0:8:e8ad::fa11:bac
07:17:00.277697 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 40) 2001:470:27:1c::2 > 2001:470:27:1c::1: [icmp6 sum ok] ICMP6, echo request, seq 32010
07:17:00.305634 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 40) 2001:470:27:1c::1 > 2001:470:27:1c::2: [icmp6 sum ok] ICMP6, echo reply, seq 32010


What can the cause be? Sounds like a routing issue right?
Also the strange issue is that it randomly worked for some time and then it stopped working again.

Any ideas what the cause can be?
Im running latest Pfsense 2.2, but this problem also existed in 2.1
Title: Re: ICMPv6 issue with pfsense - problem with he tunnel?
Post by: alandsidel on September 26, 2015, 04:08:45 PM
I believe this is an nmap bug.  Nmap actually doesn't just use an ICMP ping to detect hosts are up.  It tries another ICMP type, as well as tricky packets via TCP to ports 80 and 443.  It's supposed to try all four of these for IPv4 scans, and three of them (the ICMP time request is not supported in ipv6) for ipv6 host detection.

Sniffing with nmap 6.47 scanning an ipv6 host, I can see that it's only actually trying the port 80 and 443 checks if no discovery method is specified on the command line.

If you tell it to use ICMP explicitly with -PE, it works fine.

So, it's not you, it's not pfsense, and it's not (directly) HE either -- it's a bug in nmap.

(edit: mean't to say -PE for 'icmp echo', not -PP)