IPv6 timeouts with OS X Server

Recently enabled IPv6 on your local switched network? Getting odd timeouts connecting to an OS X Server? Here’s (possibly) why: the out-of-the-box server configuration is firewalling link-local IPv6 traffic.

To diagnose this in my network I used ssh, since it’s easy to use and has good verbose output. So turn on secure shell conncections if you haven’t already. Server -> Settings -> Remote access -> Secure shell connections. Now from a neighbouring device, first confirm that IPv4 ssh to the server is working e.g. ssh -4v -S none servername.local.

Disconnect the remote shell, and now try IPv6: ssh -6v -S none servername.local. You may see that it hangs at

debug1: Connecting to servername.local [fe80::xxxx:xxxx:xxxx:xxxx%en0] port 22.

Combined with the success of the ipv4 connection, this is evidence that your IPv6 TCP SYN packet has been dropped somewhere. If you’re connecting via a local switched network, it’s a fair bet it was at server port ingress.

Fortunately the solution is easy. Get on the server and edit /Library/Server/Firewall/Anchors/custom_anchor.txt. At a minumum, add this line at the top:

pass in inet6 from fe80::/10 to any no state

Now sudo pfctl -f /etc/pf.conf and assuming that ingress packet filtering was the issue, be amazed how much faster things like file shares, ssh, screen sharing connect! Now turn off SSH if you weren’t otherwise using it.

If you are a more sophisticated firewall admin, you may want a more specific variant of the PF rules. If that’s you, I’m sure you already know what to do based on this hint.