Hello Sashan, I completely forgot about testing link-scope addresses. I implemented your rule and sure enough, was able to get IPv6 connectivity. I greatly appreciate your help for that.
I further experimented with that rule and modified it to only divert-packet on link-scope addresses: pass out on $lan inet6 from fe80::/64 to fe80::/64 divert-packet port 700 As I expected, I lost IPv6 connectivity again. Using that divert program I rewrote, I see a ton of "sendto: Network is unreachable", but this only happens with link-scope addresses. (OpenBSD Router) (Client) fe80::8ac:2eff:fec7:50da:34304 -> fe80::4d13:8090:55de:5d25:53174 a.out: sendto: Network is unreachable Likewise, I am unable to ping any link-scope addresses from the router on the $lan side. However, I can ping any link-scope address from the client. This very well could be due to a problem that I introduced when rewriting the divert program to do IPv6. However, when I use this rule: pass out on $lan inet6 from fe80::/64 to fe80::/64 divert-packet port 700 I am unable to obtain any IPv6 connectivity and if I disconnect the client and reconnect it to this network, I won't even get a global IPv6 address, using the divert program or Suricata. Which leads me to believe that the "sendto: Network is unreachable" is occurring on Suricata and the divert program. Thanks, Logan Dunbar ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Monday, May 18, 2020 5:05 AM, Alexandr Nedvedicky <[email protected]> wrote: > Hello Logan, > > I had no time to try it out yet. there is one thing, which caught my eye in > your description. See my in-line question further below. > > On Mon, May 18, 2020 at 04:21:05AM +0000, Logan Dunbar wrote: > > > I had to forward this in because my ISP blocks SMTP, apologies if the > > formatting is incorrect. > > > > > Synopsis: PF divert-packet does not work with IPv6, only IPv4 > > > Category: kernel > > > Environment: > > > System : OpenBSD 6.7 > > > Details : OpenBSD 6.7-current (GENERIC.MP) #194: Sun May 17 09:52:26 MDT > > > 2020 > > > [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP > > > > Architecture: OpenBSD.amd64 > > Machine : amd64 > > > > > Description: > > > Recently, I have set up Suricata on OpenBSD and was able to get it to > > > work with IPv4 using divert-packet. However, when I attempted to use IPv6 > > > using divert-packet, I lost all connectivity. > > > How-To-Repeat: > > > When I used this rule: > > > pass out on $lan inet divert-packet port 700 > > > > It worked with only IPv4, as it should, but it diverted perfectly. > > When I attempted this rule: > > pass out on $lan inet6 divert-packet port 700 > > perhaps you may want to adjust the rule a bit to ignore link-scope > addresses: > > pass out on $lan inet6 from !fe80::/64 to !fe80::/64 divert-packet port 700 > > modification above may help to get your IPv6 connectivity back. > > Hope it helps > regards > sashan
