---
layout: post
title: "IPv6 and Netgraph Ethernet pseudo-interface"
date: 2017-12-28 12:47:00 +0100
comments: true
categories: 
---

On a NanoBSD firewall, I want to have a separate
MAC address on one of the Ethernet interfaces to
act as the outer endpoint for IPv6 traffic. This
is achieved using a Netgraph eiface:

```plain /etc/rc.local
kldload ng_ether
ngctl mkpeer sis0: bridge lower link0
ngctl name sis0:lower sis0bridge
ngctl connect sis0: sis0bridge: upper link1
ngctl mkpeer sis0bridge: eiface link2 ether
ngctl msg sis0: setpromisc 1
ngctl msg sis0: setautosrc 0

ifconfig ngeth0 link 06:00:00:00:00:06
```

Note that this does *not* include an ifconfig call to
set the interface's IPv6 address: this is done by
devd, which calls the boot scripts' ifconfig routine
when the interface comes up. Thus I have the following
line in /etc/rc.conf:

```plain /etc/rc.conf
ifconfig_ngeth0_ipv6="inet6 fe80::6/64"
```

If instead of this line I have an explicit ifconfig
in `/etc/rc.local` then there is a race condition between
rc.local and devd. If devd runs last, the boot scripts
won't see any IPv6 address configured for the newly
created interface in `/etc/rc.conf`, and they will set
`ifdisabled` on it (blocking all IPv6 traffic, and marking
the configured link local address as "tentative").
If devd runs first, the problem is dormant, because setting
the link local address clears `ifdisabled` as a side effect.