IPv6 TCP from vnet jail
- Reply: Michael Tuexen : "Re: IPv6 TCP from vnet jail"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 01 Jun 2026 18:41:46 UTC
> root@poly:~ # uname -a > FreeBSD poly.johnrshannon.com 15.0-RELEASE-p9 FreeBSD 15.0-RELEASE-p9 > releng/15.0-n281048-6d536196f1bd GENERIC amd64 I have a vnet jail for postfix. Postfix forwards smtp over a Wireguard interface to another postfix server. The relaying works when IPv4 is used; it does not work with IPv6. IPv6 networking for the jail is: > epair6b: > flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric > 0 mtu 1500 > options=60000b<RXCSUM,TXCSUM,VLAN_MTU,RXCSUM_IPV6,TXCSUM_IPV6> > ether 58:9c:fc:10:fc:32 > inet 10.1.6.32 netmask 0xffffff00 broadcast 10.1.6.255 > inet6 fe80::5a9c:fcff:fe10:fc32%epair6b prefixlen 64 scopeid 0x1b > inet6 fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32 prefixlen 64 > groups: epair > media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>) > status: active > nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> Outside the jail: > privatebridge: > flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric > 0 mtu 1500 > options=10<VLAN_HWTAGGING> > ether 58:9c:fc:10:72:30 > inet 10.1.6.1 netmask 0xffffff00 broadcast 10.1.6.255 > inet6 fd4f:7b8c:5ffd:6006::1 prefixlen 64 > id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 > maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 > root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 > bridge flags=0<> > member: epair6a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> > port 26 priority 128 path cost 2000 vlan protocol 802.1q ... > wg0: flags=10080c1<UP,RUNNING,NOARP,MULTICAST,LOWER_UP> metric 0 mtu 1380 > options=80000<LINKSTATE> > inet 10.1.5.1 netmask 0xffffff00 > inet6 fd4f:7b8c:5ffd:6005::1 prefixlen 64 > groups: wg > nd6 options=101<PERFORMNUD,NO_DAD> > root@poly:/var/log # netstat -rn6 > Routing tables > > Internet6: > Destination Gateway Flags Netif Expire > ::/96 link#2 URS lo0 > default fe80::1%vtnet0 UGS vtnet0 > ::1 link#2 UHS lo0 > ::ffff:0.0.0.0/96 link#2 URS lo0 > 2a01:4ff:1f0:6b41::/64 link#1 U vtnet0 > 2a01:4ff:1f0:6b41:9000:7ff:fe0f:c2ca link#2 UHS lo0 > fd4f:7b8c:5ffd:1000::/64 link#5 US wg0 > fd4f:7b8c:5ffd:1001::/64 link#5 US wg0 > fd4f:7b8c:5ffd:1002::/64 link#5 US wg0 > fd4f:7b8c:5ffd:1003::/64 link#5 US wg0 > fd4f:7b8c:5ffd:1004::/64 link#5 US wg0 > fd4f:7b8c:5ffd:3000::/52 link#5 US wg0 > fd4f:7b8c:5ffd:6005::/64 link#5 U wg0 > fd4f:7b8c:5ffd:6005::1 link#2 UHS lo0 > fd4f:7b8c:5ffd:6006::/64 link#3 U privatebridg > fd4f:7b8c:5ffd:6006::1 link#2 UHS lo0 > fe80::%lo0/10 link#2 URS lo0 > fe80::%vtnet0/64 link#1 U vtnet0 > fe80::9000:7ff:fe0f:c2ca%lo0 link#2 UHS lo0 > fe80::%lo0/64 link#2 U lo0 > fe80::1%lo0 link#2 UHS lo0 > ff02::/16 link#2 URS lo0 My intention is to route these packets from the bridge over wg0 (Wireguard) to the destination. It works with ping6, but does not work with smtp. With smtp and using tcpdump in the jail I see: > root@mail:/usr/local/etc/postfix # tcpdump -ni epair6b icmp6 > tcpdump: verbose output suppressed, use -v[v]... for full protocol decode > 10:42:54.998257 IP6 fd4f:7b8c:5ffd:6006::1 > > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu > 1380, length 1240 > 10:42:54.998272 IP6 fd4f:7b8c:5ffd:6006::1 > > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu > 1380, length 1240 > 10:42:55.000250 IP6 fd4f:7b8c:5ffd:6006::1 > > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu > 1380, length 1240 > 10:42:55.000256 IP6 fd4f:7b8c:5ffd:6006::1 > > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu > 1380, length 1240 > 10:42:55.002174 IP6 fd4f:7b8c:5ffd:6006::1 > > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu > 1380, length 1240 > 10:42:55.002178 IP6 fd4f:7b8c:5ffd:6006::1 > > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu > 1380, length 1240 > 10:42:55.004111 IP6 fd4f:7b8c:5ffd:6006::1 > > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu > 1380, length 1240 > 10:42:55.004141 IP6 fd4f:7b8c:5ffd:6006::1 > > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu > 1380, length 1240 > 10:42:55.006112 IP6 fd4f:7b8c:5ffd:6006::1 > > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu > 1380, length 1240 > 10:42:55.006118 IP6 fd4f:7b8c:5ffd:6006::1 > > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu > 1380, length 1240 > 10:42:55.008033 IP6 fd4f:7b8c:5ffd:6006::1 > > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu > 1380, length 1240 > 10:42:55.008038 IP6 fd4f:7b8c:5ffd:6006::1 > > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu > 1380, length 1240 > 10:42:55.052658 IP6 fd4f:7b8c:5ffd:6006::1 > > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu > 1380, length 1240 > 10:42:55.091324 IP6 fd4f:7b8c:5ffd:6006::1 > > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu > 1380, length 1240 > 10:42:55.135036 IP6 fd4f:7b8c:5ffd:6006::1 > > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu > 1380, length 1240 > 10:42:55.211233 IP6 fd4f:7b8c:5ffd:6006::1 > > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu > 1380, length 1240 > 10:42:55.254940 IP6 fd4f:7b8c:5ffd:6006::1 > > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu > 1380, length 1240 > 10:42:55.302406 IP6 fd4f:7b8c:5ffd:6006::1 > > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu > 1380, length 1240 > 10:42:55.302416 IP6 fd4f:7b8c:5ffd:6006::1 > > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu > 1380, length 1240 > 10:42:55.347152 IP6 fd4f:7b8c:5ffd:6006::1 > > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu > 1380, length 1240 > 10:42:55.498540 IP6 fd4f:7b8c:5ffd:6006::1 > > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu > 1380, length 1240 > 10:42:55.542285 IP6 fd4f:7b8c:5ffd:6006::1 > > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu > 1380, length 1240 > 10:42:55.675712 IP6 fd4f:7b8c:5ffd:6006::1 > > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu > 1380, length 1240 > 10:42:55.675749 IP6 fd4f:7b8c:5ffd:6006::1 > > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, packet too big, mtu > 1380, length 1240 ... The command > root@poly:~ # tcpdump -ni wg0 icmp6 displays no output. This isn't surprising as its the IP for privatebridge that's returning the icmp6 "too big" message. The result is different using ping6: > root@mail:/usr/local/etc/postfix # ping6 -c 6 -D -s 1240 maila > PING(1288=40+8+1240 bytes) fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32 --> > fd4f:7b8c:5ffd:1000:ae1f:6bff:1:19 > 1248 bytes from fd4f:7b8c:5ffd:1000:ae1f:6bff:1:19, icmp_seq=0 hlim=62 > time=34.601 ms > 1248 bytes from fd4f:7b8c:5ffd:1000:ae1f:6bff:1:19, icmp_seq=1 hlim=62 > time=35.499 ms > 1248 bytes from fd4f:7b8c:5ffd:1000:ae1f:6bff:1:19, icmp_seq=2 hlim=62 > time=31.764 ms > 1248 bytes from fd4f:7b8c:5ffd:1000:ae1f:6bff:1:19, icmp_seq=3 hlim=62 > time=32.029 ms > 1248 bytes from fd4f:7b8c:5ffd:1000:ae1f:6bff:1:19, icmp_seq=4 hlim=62 > time=33.071 ms > 1248 bytes from fd4f:7b8c:5ffd:1000:ae1f:6bff:1:19, icmp_seq=5 hlim=62 > time=32.730 ms from the jail, I see this on wg0: root@poly:~ # tcpdump -ni wg0 icmp6 tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on wg0, link-type NULL (BSD loopback), snapshot length 262144 bytes 11:00:10.614336 IP6 fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32 > fd4f:7b8c:5ffd:1000:ae1f:6bff:1:19: ICMP6, echo request, id 45637, seq 0, length 1248 11:00:10.646884 IP6 fd4f:7b8c:5ffd:1000:ae1f:6bff:1:19 > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, echo reply, id 45637, seq 0, length 1248 11:00:11.631213 IP6 fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32 > fd4f:7b8c:5ffd:1000:ae1f:6bff:1:19: ICMP6, echo request, id 45637, seq 1, length 1248 11:00:11.663043 IP6 fd4f:7b8c:5ffd:1000:ae1f:6bff:1:19 > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, echo reply, id 45637, seq 1, length 1248 11:00:12.646270 IP6 fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32 > fd4f:7b8c:5ffd:1000:ae1f:6bff:1:19: ICMP6, echo request, id 45637, seq 2, length 1248 11:00:12.677520 IP6 fd4f:7b8c:5ffd:1000:ae1f:6bff:1:19 > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, echo reply, id 45637, seq 2, length 1248 11:00:13.659678 IP6 fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32 > fd4f:7b8c:5ffd:1000:ae1f:6bff:1:19: ICMP6, echo request, id 45637, seq 3, length 1248 11:00:13.693673 IP6 fd4f:7b8c:5ffd:1000:ae1f:6bff:1:19 > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, echo reply, id 45637, seq 3, length 1248 11:00:14.679861 IP6 fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32 > fd4f:7b8c:5ffd:1000:ae1f:6bff:1:19: ICMP6, echo request, id 45637, seq 4, length 1248 11:00:14.713685 IP6 fd4f:7b8c:5ffd:1000:ae1f:6bff:1:19 > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, echo reply, id 45637, seq 4, length 1248 11:00:15.701635 IP6 fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32 > fd4f:7b8c:5ffd:1000:ae1f:6bff:1:19: ICMP6, echo request, id 45637, seq 5, length 1248 11:00:15.733886 IP6 fd4f:7b8c:5ffd:1000:ae1f:6bff:1:19 > fd4f:7b8c:5ffd:6006:5a9c:fcff:fe10:fc32: ICMP6, echo reply, id 45637, seq 5, length 1248 Any suggestions on debugging this? -- John R. Shannon john@johnrshannon.com