Todo #16146
closed
Document net.inet6.icmp6.nd6_onlink_ns_rfc4861
0%
Description
Some ISPs require net.inet6.icmp6.nd6_onlink_ns_rfc4861 to be set (e.g. sysctl net.inet6.icmp6.nd6_onlink_ns_rfc4861=1). This is needed to allow pfSense to respond to Neighbor Solicitation requests sourced by an address that pfSense doesn't already know about.
For example, before setting the tunable:
15:40:29.529162 IP6 2001:db8:ffff:5:5::1 > ff02::1:ffb2:3434: ICMP6, neighbor solicitation, who has fe80::208:a2ff:fe12:ec78, length 32 15:40:30.528332 IP6 2001:db8:ffff:5:5::1 > ff02::1:ffb2:3434: ICMP6, neighbor solicitation, who has fe80::208:a2ff:fe12:ec78, length 32 15:40:31.528522 IP6 2001:db8:ffff:5:5::1 > ff02::1:ffb2:3434: ICMP6, neighbor solicitation, who has fe80::208:a2ff:fe12:ec78, length 32 15:40:32.529656 IP6 2001:db8:ffff:5:5::1 > ff02::1:ffb2:3434: ICMP6, neighbor solicitation, who has fe80::208:a2ff:fe12:ec78, length 32 15:40:33.529546 IP6 2001:db8:ffff:5:5::1 > ff02::1:ffb2:3434: ICMP6, neighbor solicitation, who has fe80::208:a2ff:fe12:ec78, length 32 15:40:34.529569 IP6 2001:db8:ffff:5:5::1 > ff02::1:ffb2:3434: ICMP6, neighbor solicitation, who has fe80::208:a2ff:fe12:ec78, length 32
and after setting it:
17:03:07.113692 IP6 2001:db8:ffff:5:5::1 > ff02::1:ffb2:3434: ICMP6, neighbor solicitation, who has fe80::250:56ff:feb2:3434, length 32 17:03:07.113819 IP6 fe80::250:56ff:feb2:3434 > ff02::1:ff12:ec78: ICMP6, neighbor solicitation, who has fe80::208:a2ff:fe12:ec78, length 32 17:03:07.114223 IP6 2001:db8:ffff:5:5::1 > fe80::250:56ff:feb2:3434: ICMP6, echo request, id 18079, seq 0, length 16 17:03:07.114296 IP6 fe80::208:a2ff:fe12:ec78 > fe80::250:56ff:feb2:3434: ICMP6, neighbor advertisement, tgt is fe80::208:a2ff:fe12:ec78, length 32 17:03:07.114317 IP6 fd6e:6574:6761:7465:8361:a967:bcc8:70d3 > 2001:db8:ffff:5:5::1: ICMP6, neighbor advertisement, tgt is fe80::250:56ff:feb2:3434, length 32 17:03:07.114339 IP6 fe80::250:56ff:feb2:3434 > 2001:db8:ffff:5:5::1: ICMP6, echo reply, id 18079, seq 0, length 16 17:03:08.114233 IP6 2001:db8:ffff:5:5::1 > fe80::250:56ff:feb2:3434: ICMP6, echo request, id 18079, seq 1, length 16 17:03:08.114266 IP6 fe80::250:56ff:feb2:3434 > 2001:db8:ffff:5:5::1: ICMP6, echo reply, id 18079, seq 1, length 16
Information on this can be added to:
https://docs.netgate.com/pfsense/en/latest/troubleshooting/connectivity.html
Related discussion:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263288
https://forum.netgate.com/topic/140950/ipv6-native-with-telstra-australia
https://forum.netgate.com/topic/196962/gigaclear-ip6-lose-of-connectivity-after-exactly-5-minutes
Updated by Jim Pingle about 1 month ago
- Status changed from New to Rejected
Looking at the Bugzilla entry I do not think we should document this. Certainly not in any primary troubleshooting documentation. Toggling that sysctl exposes the firewall to CVE-2008-2476 and it is only safe to do if the link is properly isolated from any other potential sources of rogue ND messages.
Even with appropriate warnings I don't like the idea of suggesting something like this officially. I know people don't have a lot of choice in what their ISP does, but affected users can find that information in forum threads specific to their ISP if needed.
Updated by Marcos M about 1 month ago
For reference this behavior can be achieved with pfSense as the upstream router, e.g. if the address being pinged by the client is a VIP on the upstream pfSense device:
1 2025-04-22 21:51:22.826675 0.000000 2001:db8:aaac:0:250:56ff:feb2:3c91 2001:db8:aaaa::a ICMPv6 63 Echo (ping) request id=0x093e, seq=7098, hop limit=64 (no response found!) 2 2025-04-22 21:51:23.346219 0.519544 2001:db8:aaac:0:250:56ff:feb2:3c91 2001:db8:aaaa::a ICMPv6 63 Echo (ping) request id=0x093e, seq=7099, hop limit=64 (no response found!) 3 2025-04-22 21:51:23.346238 0.000019 2001:db8:aaaa::a ff02::1:ffb2:3c91 ICMPv6 86 Neighbor Solicitation for 2001:db8:aaac:0:250:56ff:feb2:3c91 from 00:50:56:b2:71:1f 4 2025-04-22 21:51:23.856758 0.510520 2001:db8:aaac:0:250:56ff:feb2:3c91 2001:db8:aaaa::a ICMPv6 63 Echo (ping) request id=0x093e, seq=7100, hop limit=64 (no response found!) 5 2025-04-22 21:51:23.870134 0.013376 2001:db8:aaac:0:250:56ff:feb2:3c91 2001:db8:f:5:5::1 ICMPv6 70 Echo (ping) request id=0xcdbe, seq=0, hop limit=64 (no response found!) 6 2025-04-22 21:51:24.345543 0.475409 2001:db8:aaaa::a ff02::1:ffb2:3c91 ICMPv6 86 Neighbor Solicitation for 2001:db8:aaac:0:250:56ff:feb2:3c91 from 00:50:56:b2:71:1f 7 2025-04-22 21:51:24.366376 0.020833 2001:db8:aaac:0:250:56ff:feb2:3c91 2001:db8:aaaa::a ICMPv6 63 Echo (ping) request id=0x093e, seq=7101, hop limit=64 (no response found!) 8 2025-04-22 21:51:24.886571 0.520195 2001:db8:aaac:0:250:56ff:feb2:3c91 2001:db8:aaaa::a ICMPv6 63 Echo (ping) request id=0x093e, seq=7102, hop limit=64 (no response found!) 9 2025-04-22 21:51:24.886694 0.000123 2001:db8:aaac:0:250:56ff:feb2:3c91 2001:db8:f:5:5::1 ICMPv6 70 Echo (ping) request id=0xcdbe, seq=1, hop limit=64 (no response found!) 10 2025-04-22 21:51:25.345792 0.459098 2001:db8:aaaa::a ff02::1:ffb2:3c91 ICMPv6 86 Neighbor Solicitation for 2001:db8:aaac:0:250:56ff:feb2:3c91 from 00:50:56:b2:71:1f 11 2025-04-22 21:51:25.396228 0.050436 2001:db8:aaac:0:250:56ff:feb2:3c91 2001:db8:aaaa::a ICMPv6 63 Echo (ping) request id=0x093e, seq=7103, hop limit=64 (no response found!) 12 2025-04-22 21:51:25.899130 0.502902 2001:db8:aaac:0:250:56ff:feb2:3c91 2001:db8:f:5:5::1 ICMPv6 70 Echo (ping) request id=0xcdbe, seq=2, hop limit=64 (no response found!) 13 2025-04-22 21:51:25.910089 0.010959 2001:db8:aaac:0:250:56ff:feb2:3c91 2001:db8:aaaa::a ICMPv6 63 Echo (ping) request id=0x093e, seq=7104, hop limit=64 (no response found!)