Thomas’ Lab Notes

Stuff worth not forgetting

IPv6 and Netgraph Ethernet Pseudo-interface

On a NanoBSD firewall, I want to have a separate MAC address on one of the Ethernet interfaces to act as the outer endpoint for IPv6 traffic. This is achieved using a Netgraph eiface:

kldload ng_ether
ngctl mkpeer sis0: bridge lower link0
ngctl name sis0:lower sis0bridge
ngctl connect sis0: sis0bridge: upper link1
ngctl mkpeer sis0bridge: eiface link2 ether
ngctl msg sis0: setpromisc 1
ngctl msg sis0: setautosrc 0

ifconfig ngeth0 link 06:00:00:00:00:06

Note that this does not include an ifconfig call to set the interface’s IPv6 address: this is done by devd, which calls the boot scripts’ ifconfig routine when the interface comes up. Thus I have the following line in /etc/rc.conf:

ifconfig_ngeth0_ipv6="inet6 fe80::6/64"

If instead of this line I have an explicit ifconfig in /etc/rc.local then there is a race condition between rc.local and devd. If devd runs last, the boot scripts won’t see any IPv6 address configured for the newly created interface in /etc/rc.conf, and they will set ifdisabled on it (blocking all IPv6 traffic, and marking the configured link local address as “tentative”). If devd runs first, the problem is dormant, because setting the link local address clears ifdisabled as a side effect.