Hardware: Turris Omnia 2020 (CZ11NIC23)
Software: OpenWRT 22.03.4 and up
Hey there!
I'm trying to find the cause of an issue I'm having since v22.03.4 on my Turris Omnia, and I'd greatly appreciate if you could share your thoughts on the matter.
My setup is quite simple:
- one router between WAN and LAN
- prefix delegation (DHCPv6 + SLAAC)
- all LAN devices connected to the router
What happens is the IPv6 connectivity between LAN and WAN will stop working after some time, while LAN to LAN works perfectly (so basically, doesn't work when routing is involved).
I found that flushing the cache of IPv6 neighbors with ip -6 neigh flush all
on the router triggers the issue, so I'm guessing the "after some time" part is just these entries expiring. In that state, pinging either LLA, ULA and GUA addresses of the router from an host does not work, or pinging an host from the router for that matter.
The strange part however is that just after rebooting the router, or even sometimes seemingly for no reason, it will start working properly again. I'm unable to reproduce that consistently.
Looking at tcpdump
traces on the router, it seems like it is sending ND neighbor solicitations without getting any response. But running tcpdump
on the associated host shows no ND solicitations whatsoever. I do not perform any filtering on ICMP, so I don't think my firewall rules are to blame here.
tcpdump trace on router
20:42:31.352100 IP6 2a02:842a:8b:4601::f8f8 > 2620:fe::fe: ICMP6, echo request, seq 1, length 64
20:42:31.363429 IP6 fe80::da58:d7ff:fe01:af50 > ff02::1:ff00:f8f8: ICMP6, neighbor solicitation, who has 2a02:842a:8b:4601::f8f8, length 32
20:42:32.245464 IP6 fe80::da58:d7ff:fe01:af50 > ff02::1:ff00:a: ICMP6, neighbor solicitation, who has 2a02:842a:8b:4601::a, length 32
20:42:32.357347 IP6 2a02:842a:8b:4601::f8f8 > 2620:fe::fe: ICMP6, echo request, seq 2, length 64
20:42:32.405462 IP6 fe80::da58:d7ff:fe01:af50 > ff02::1:ff00:f8f8: ICMP6, neighbor solicitation, who has 2a02:842a:8b:4601::f8f8, length 32
20:42:33.370616 IP6 2a02:842a:8b:4601::f8f8 > 2620:fe::fe: ICMP6, echo request, seq 3, length 64
20:42:33.404242 IP6 fe80::da58:d7ff:fe01:af50 > ff02::1:ff00:a: ICMP6, neighbor solicitation, who has 2a02:842a:8b:4601::a, length 32
20:42:33.445463 IP6 fe80::da58:d7ff:fe01:af50 > ff02::1:ff00:f8f8: ICMP6, neighbor solicitation, who has 2a02:842a:8b:4601::f8f8, length 32
20:42:34.383866 IP6 2a02:842a:8b:4601::f8f8 > 2620:fe::fe: ICMP6, echo request, seq 4, length 64
20:42:34.405464 IP6 fe80::da58:d7ff:fe01:af50 > ff02::1:ff00:a: ICMP6, neighbor solicitation, who has 2a02:842a:8b:4601::a, length 32
20:42:35.252661 IP6 fe80::da58:d7ff:fe01:af50 > ff02::1:ff00:f8f8: ICMP6, neighbor solicitation, who has 2a02:842a:8b:4601::f8f8, length 32
20:42:35.397121 IP6 2a02:842a:8b:4601::f8f8 > 2620:fe::fe: ICMP6, echo request, seq 5, length 64
20:42:35.445464 IP6 fe80::da58:d7ff:fe01:af50 > ff02::1:ff00:a: ICMP6, neighbor solicitation, who has 2a02:842a:8b:4601::a, length 32
20:42:35.445482 IP6 fe80::da58:d7ff:fe01:af50 > 2a02:842a:8b:4601:ad73:4794:caa4:8b4c: ICMP6, neighbor solicitation, who has 2a02:842a:8b:4601:ad73:4794:caa4:8b4c, length 32
20:42:35.505944 IP6 2a02:842a:8b:4601:ad73:4794:caa4:8b4c > fe80::da58:d7ff:fe01:af50: ICMP6, neighbor advertisement, tgt is 2a02:842a:8b:4601:ad73:4794:caa4:8b4c, length 24
tcpdump trace on host 'f8f8'
20:44:18.758707 IP6 2a02:842a:8b:4601::f8f8 > 2620:fe::fe: ICMP6, echo request, id 46, seq 107, length 64
20:44:19.772036 IP6 2a02:842a:8b:4601::f8f8 > 2620:fe::fe: ICMP6, echo request, id 46, seq 108, length 64
20:44:20.785374 IP6 2a02:842a:8b:4601::f8f8 > 2620:fe::fe: ICMP6, echo request, id 46, seq 109, length 64
20:44:21.795402 IP6 2a02:842a:8b:4601::f8f8 > 2620:fe::fe: ICMP6, echo request, id 46, seq 110, length 64
20:44:22.808711 IP6 2a02:842a:8b:4601::f8f8 > 2620:fe::fe: ICMP6, echo request, id 46, seq 111, length 64
20:44:23.101114 IP6 fe80::7ff:dae3:88d8:a866 > fe80::da58:d7ff:fe01:af50: ICMP6, neighbor solicitation, who has fe80::da58:d7ff:fe01:af50, length 32
20:44:23.825369 IP6 2a02:842a:8b:4601::f8f8 > 2620:fe::fe: ICMP6, echo request, id 46, seq 112, length 64
20:44:24.838702 IP6 2a02:842a:8b:4601::f8f8 > 2620:fe::fe: ICMP6, echo request, id 46, seq 113, length 64
20:44:25.852040 IP6 2a02:842a:8b:4601::f8f8 > 2620:fe::fe: ICMP6, echo request, id 46, seq 114, length 64
20:44:26.862033 IP6 2a02:842a:8b:4601::f8f8 > 2620:fe::fe: ICMP6, echo request, id 46, seq 115, length 64
Looking at the diff of sysctl
dumps between 22.03.3 and 22.03.4, I don't see anything notable.
sysctl diff
fs.dentry-state = 8052 5523 45 0 979 0 | fs.dentry-state = 6227 3780 45 0 941 0
fs.inode-nr = 7069 0 | fs.inode-nr = 5283 0
fs.inode-state = 7069 0 0 0 0 0 | fs.inode-state = 5283 0 0 0 0 0
kernel.osrelease = 5.10.161 | kernel.oops_limit = 10000
> kernel.osrelease = 5.10.176
kernel.random.boot_id = 4e13c211-8bfd-4de6-994b-43a8f024a04d | kernel.random.boot_id = 01b13c08-c5f9-48fe-a649-92020c7c5830
kernel.random.uuid = 643b80ae-4774-4483-adeb-8e51f8b397bc | kernel.random.uuid = d67d0f7e-ddf7-453f-b13b-c03682bb38e9
kernel.version = #0 SMP Tue Jan 3 00:24:21 2023 | kernel.version = #0 SMP Sun Apr 9 12:27:46 2023
> kernel.warn_limit = 0
net.ipv4.tcp_fastopen_key = ad5ff674-82b3e993-74de6adb-6f1788 | net.ipv4.tcp_fastopen_key = 9f4de282-77e4dd8c-b608bf28-b5bab5
net.ipv6.conf.eth0.mtu = 1500 | net.ipv6.conf.eth0.mtu = 1508
net.netfilter.nf_conntrack_count = 90 | net.netfilter.nf_conntrack_count = 242
net.netfilter.nf_conntrack_tcp_no_window_check = 1 <
vm.user_reserve_kbytes = 64342 | vm.user_reserve_kbytes = 64341
I also tried:
- flashing the previous archive for 22.03.3 (that fixes the issue)
- flashing a freshly built archive for 22.03.3 (that fixes the issue)
- upgrading to 22.03.5 (does not solve the issue)
I'm not running the official OpenWrt release for mvebu
, but a custom build made with the image builder.
image builder configuration
PROFILE="cznic_turris-omnia"
PACKAGES="luci luci-theme-material nft-qos luci-app-nft-qos adblock luci-app-adblock tinyproxy luci-app-tinyproxy wireguard-tools luci-app-wireguard -ip-tiny ip-full -dnsmasq dnsmasq-full -odhcpd -odhcpd-ipv6only tcpdump ethtool iperf3 lsof htop vim-full"
FILES=""
BIN_DIR=""
EXTRA_IMAGE_NAME=""
DISABLED_SERVICES="tinyproxy"
I'm suspecting either a kernel bug, or a new filtering behavior I missed in the changelog, but both seem unlikely. I'll try to do a clean install with the official build when I get the chance.
Thanks!