New article on ngeth

source/_posts/2017-12-28-ipv6-and-netgraph-ethernet-pseudo-interface.markdown

@@ -0,0 +1,45 @@
+---
+layout: post
+title: "IPv6 and Netgraph Ethernet pseudo-interface"
+date: 2017-12-28 12:47:00 +0100
+comments: true
+categories: 
+---
+
+On a NanoBSD firewall, I want to have a separate
+MAC address on one of the Ethernet interfaces to
+act as the outer endpoint for IPv6 traffic. This
+is achieved using a Netgraph eiface:
+
+```plain /etc/rc.local
+kldload ng_ether
+ngctl mkpeer sis0: bridge lower link0
+ngctl name sis0:lower sis0bridge
+ngctl connect sis0: sis0bridge: upper link1
+ngctl mkpeer sis0bridge: eiface link2 ether
+ngctl msg sis0: setpromisc 1
+ngctl msg sis0: setautosrc 0
+
+ifconfig ngeth0 link 06:00:00:00:00:06
+```
+
+Note that this does *not* include an ifconfig call to
+set the interface's IPv6 address: this is done by
+devd, which calls the boot scripts' ifconfig routine
+when the interface comes up. Thus I have the following
+line in /etc/rc.conf:
+
+```plain /etc/rc.conf
+ifconfig_ngeth0_ipv6="inet6 fe80::6/64"
+```
+
+If instead of this line I have an explicit ifconfig
+in `/etc/rc.local` then there is a race condition between
+rc.local and devd. If devd runs last, the boot scripts
+won't see any IPv6 address configured for the newly
+created interface in `/etc/rc.conf`, and they will set
+`ifdisabled` on it (blocking all IPv6 traffic, and marking
+the configured link local address as "tentative").
+If devd runs first, the problem is dormant, because setting
+the link local address clears `ifdisabled` as a side effect.
+