While creating some VM's with Bhyve + IPv6 I had to create a bridge and therefore the main network card had to be in promiscuous] `promisc` mode.
Eventually, I manage the VM's to work but start to notice a strange behavior (mainly timeouts and very slow responses) on the host while trying to update the packages or just fetching something/curl.
The server currently using PF and by checking the logs:
After doing some trafic like `pkg update` or a simple `curl google.com` I got this logs:
For an unknown reason, all the returning traffic is being blocked, like if PF where not being stateful for ipv6, in `promisc` mode.
Important also to mention that despite the log entries, when curling a site that supports both `ipv4/ipv6`, it takes time but it does connect, the logs indeed only block the returning ipv6 traffic, seems like trying first ipv6 and fallbacks to ipv4.
This are the `PF` rules I am using:
Any idea of what could be done to not block the returning requests or make the system or to give preference to ipv4 over ipv6 so that hopefully that could avoid the delays.
Thanks in advance.
Eventually, I manage the VM's to work but start to notice a strange behavior (mainly timeouts and very slow responses) on the host while trying to update the packages or just fetching something/curl.
The server currently using PF and by checking the logs:
Code:
tcpdump -n -e -ttt -i pflog0 ip6After doing some trafic like `pkg update` or a simple `curl google.com` I got this logs:
Code:
00:00:00.000000 rule 3/0(match): block in on igb0: 2001:4860:4860::8844.53 > 2a01:4f8:350:84ec::1.53939: 19426 1/0/1 A 216.58.210.14 (55)
00:00:00.400845 rule 3/0(match): block in on igb0: 2001:4860:4860::8844.53 > 2a01:4f8:350:84ec::1.36699: 23499 1/0/1 A 216.58.210.14 (55)
00:00:00.385682 rule 3/0(match): block in on igb0: 2a01:4f8:0:a0a1::add:1010.53 > 2a01:4f8:350:84ec::1.25247: 22918 1/0/1 AAAA 2a00:1450:4001:81c::200e (67)
00:00:00.400351 rule 3/0(match): block in on igb0: 2a01:4f8:0:a0a1::add:1010.53 > 2a01:4f8:350:84ec::1.54634: 50020 1/0/1 AAAA 2a00:1450:4001:81c::200e (67)
00:00:01.418975 rule 3/0(match): block in on igb0: 2a00:1450:4001:81d::200e.80 > 2a01:4f8:350:84ec::1.12922: Flags [S.], seq 1243698502, ack 2222250217, win 27200, options [mss 1360,nop,nop,sackOK], length 0
00:00:00.300047 rule 3/0(match): block in on igb0: 2a00:1450:4001:81d::200e.80 > 2a01:4f8:350:84ec::1.12922: Flags [S.], seq 1243698502, ack 2222250217, win 27200, options [mss 1360,nop,nop,sackOK], length 0For an unknown reason, all the returning traffic is being blocked, like if PF where not being stateful for ipv6, in `promisc` mode.
Important also to mention that despite the log entries, when curling a site that supports both `ipv4/ipv6`, it takes time but it does connect, the logs indeed only block the returning ipv6 traffic, seems like trying first ipv6 and fallbacks to ipv4.
This are the `PF` rules I am using:
Code:
public_if = "igb0"
public_tcp_ports = "{ 80 443 }"
public_udp_ports = "{ 53 }"
set block-policy drop
set limit { states 1000000, frags 1000000, src-nodes 100000, table-entries 1000000 }
set loginterface $public_if
set optimization aggressive
set skip on {lo0, bridge0, tap}
set state-policy if-bound
set timeout frag 30
set timeout interval 10
scrub in all fragment reassemble no-df max-mss 1440
nat on $public_if from {172.16.8.0/21} to any -> ($public_if)
antispoof log for $public_if
block log all
block in log quick from no-route to any
block drop in log quick on $public_if inet proto tcp from any to any flags FUP/FUP
pass in quick on $public_if proto tcp from any to any port $public_tcp_ports flags S/SA keep state
pass in quick on $public_if proto udp from any to any port $public_udp_ports keep state
pass in quick on $public_if proto {esp, ipencap} from any to any keep state
pass in quick proto ipencap all
icmp_types="{ echoreq, unreach }"
pass inet proto icmp all icmp-type $icmp_types keep state
pass proto ipv6-icmp from any to any
pass out quick proto tcp all flags S/SA keep state
pass out all keep stateAny idea of what could be done to not block the returning requests or make the system or to give preference to ipv4 over ipv6 so that hopefully that could avoid the delays.
Thanks in advance.