[pfSense] NPt not working at all - no idea why

Wed, 20 May 2015 06:10:24 -0700

I've got a site that uses ULA IPv6 addresses (fd60:7f9c:65d8::/48), and a routed subnet courtesy of HE ( 2001:470:1f11:103d::/64). Unsurprisingly, that's routed to this site over an HE tunnel on gif0. IPv6 from pfSense itself appears to work just fine; I can successfully communicate from pfSense itself using ICMPv6, TCPv6, & UDPv6. 
However, the NPt entry doesn't seem to actually... well... *do* anything.
When I ping www.google.com from the inside, tcpdump on the gif0 interface reveals interesting things like: 

   [2.2.2-RELEASE][[email protected]]/root: tcpdump -i gif0 -l -n ip6 and 
not src 2001:470:1f10:103d::2 and not src 2001:470:1f10:103d::1

   tcpdump: WARNING: gif0: no IPv4 address assigned

   tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

   listening on gif0, link-type NULL (BSD loopback), capture size 65535 bytes

   capability mode sandbox enabled

   08:05:39.357769 IP6 fd60:7f9c:65d8:158::dc1 > 2607:f8b0:400b:80b::1013: 
ICMP6, echo request, seq 22, length 40

   08:05:44.174272 IP6 fd60:7f9c:65d8:158::dc1 > 2607:f8b0:400b:80b::1013: 
ICMP6, echo request, seq 23, length 40



while the internal tcpdump looks like this:

   [2.2.2-RELEASE][[email protected]]/root: tcpdump -i bge0_vlan158 -l -n 
ip6

   tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

   listening on bge0_vlan158, link-type EN10MB (Ethernet), capture size 65535 
bytes

   capability mode sandbox enabled

   08:05:39.356828 IP6 fd60:7f9c:65d8:158::dc1 > ff02::1:ff00:1: ICMP6, 
neighbor solicitation, who has fd60:7f9c:65d8:158::1, length 32

   08:05:39.356928 IP6 fd60:7f9c:65d8:158::1 > fd60:7f9c:65d8:158::dc1: ICMP6, 
neighbor advertisement, tgt is fd60:7f9c:65d8:158::1, length 32

   08:05:39.357713 IP6 fd60:7f9c:65d8:158::dc1 > 2607:f8b0:400b:80b::1013: 
ICMP6, echo request, seq 22, length 40

   08:05:44.174241 IP6 fd60:7f9c:65d8:158::dc1 > 2607:f8b0:400b:80b::1013: 
ICMP6, echo request, seq 23, length 40


Clearly, NPt isn't happening.
From /tmp/rules.debug:

   binat on $MTSDSL from fd60:7f9c:65d8:158::/64 to any -> 
2001:470:1f11:103d::/64

   binat on $MTSDSL from any to 2001:470:1f11:103d::/64 -> 
fd60:7f9c:65d8:158::/64


What am I missing???

-Adam

_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Reply via email to