Hi,
I just built an openbsd box for NAT64 gateway
I can't figure out how the af-to works.
here the configuration of the openbsd nat64 gateway:
----------------------
# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33144
priority: 0
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet 127.0.0.1 netmask 0xff000000
vio0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
mtu 1500
lladdr 00:16:3e:1b:ac:9c
priority: 0
groups: egress
media: Ethernet autoselect
status: active
inet 202.249.25.3 netmask 0xffffffe0 broadcast 202.249.25.31
inet6 fe80::216:3eff:fe1b:ac9c%vio0 prefixlen 64 scopeid 0x1
vio1: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
mtu 1500
lladdr 00:16:3e:65:2b:0b
priority: 0
groups: egress
media: Ethernet autoselect
status: active
inet6 2001:d30:101:624::24 prefixlen 64
inet6 fe80::216:3eff:fe65:2b0b%vio1 prefixlen 64 scopeid 0x2
enc0: flags=0<>
priority: 0
groups: enc
status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33144
priority: 0
groups: pflog
i am sure that all static routing working as expected:
# route -n show -inet
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default 202.249.25.1 UGS 7 14487 - 8 vio0
127/8 127.0.0.1 UGRS 0 0 33144 8 lo0
127.0.0.1 127.0.0.1 UH 1 66 33144 4 lo0
202.249.25.0/27 link#1 UC 2 0 - 4 vio0
202.249.25.1 00:0e:38:61:db:1b UHLc 1 0 - 4 vio0
202.249.25.26 00:30:48:2f:89:e6 UHLc 0 207 - 4 vio0
224/4 127.0.0.1 URS 0 0 33144 8 lo0
# route -n show -inet6
Routing tables
Internet6:
Destination Gateway
Flags Refs Use Mtu Prio Iface
::/104 ::1 UGRS
0 0 - 8 lo0
::/96 ::1 UGRS
0 0 - 8 lo0
default fe80::21b:2aff:fee2:a4c0%vio1 UGS
0 126 - 8 vio1
--- www.openbsd.org ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 214.183/214.232/214.284/0.380 ms
--- wfe0.ysv.freebsd.org ping6 statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 127.799/128.293/129.247/0.586 ms
/etc/pf.conf:
set limit states 100000
set skip on lo0
block # block stateless traffic
pass # establish keep-state
pass in log on vio1 inet6 from any to 2001:d30:101:624::/96 af-to inet
from 202.249.25.3
# pfctl -sr
block drop all
pass all flags S/SA
pass in log on vio1 inet6 from any to 2001:d30:101:624::/96 flags S/SA
af-to inet from 202.249.25.3
----------------------------------------
the client is linux that trigger traffic using curl:
% curl -o /dev/null http://cloud.ub.ac.id
totd on client works as expected:
%dig cloud.ub.ac.id AAAA
ANSWER SECTION:
cloud.ub.ac.id. 2826 IN AAAA 2001:d30:101:624::af2d:ba16
copy paste results from openbsd nat64 box:
--------------------------------------------
all tcp 202.249.25.3:22 <- 222.189.239.75:6000 TIME_WAIT:TIME_WAIT
[1820311286 + 16384] [1995636736 + 16385]
age 00:00:58, expires in 00:00:32, 2:1 pkts, 80:44 bytes, rule 1
all tcp 202.249.25.3:56624 (2001:d30:101:5::12:12[43781]) ->
175.45.186.22:80 (2001:d30:101:624::af2d:ba16[80])
CLOSED:SYN_SENT
[0 + 5760] [1331720812 + 1]
age 00:00:34, expires in 00:00:05, 3:0 pkts, 240:0 bytes, rule 2
all ipv6-icmp 2001:d30:101:1::7200[135] <-
fe80::21b:2aff:fee2:a4ea[24113] 0:0
age 00:00:18, expires in 00:00:00, 6:0 pkts, 432:0 bytes, rule 1
all tcp 202.249.25.3:65099 (2001:d30:101:5::12:12[43782]) ->
175.45.186.22:80 (2001:d30:101:624::af2d:ba16[80])
CLOSED:SYN_SENT
[0 + 5760] [857057431 + 1]
age 00:00:14, expires in 00:00:25, 3:0 pkts, 240:0 bytes, rule 2
all ipv6-icmp fe80::216:3eff:fe65:2b0b[135] <-
fe80::21b:2aff:fee2:a4c0[5895] 0:0
age 00:00:08, expires in 00:00:02, 1:1 pkts, 72:64 bytes, rule 1
# tcpdump -nvvi vio1 -c 10 tcp
tcpdump: listening on vio1, link-type EN10MB
tcpdump: WARNING: compensating for unaligned libpcap packets
01:39:01.503633 2001:d30:101:5::12:12.47111 >
2001:d30:101:624::af2d:ba16.80: S [tcp sum ok]
2836639686:2836639686(0) win 5760 <mss 1440,sackOK,timestamp
1774791709 0,nop,wscale 6> (len 40, hlim 62)
01:39:04.487460 2001:d30:101:5::12:12.47111 >
2001:d30:101:624::af2d:ba16.80: S [tcp sum ok]
2836639686:2836639686(0) win 5760 <mss 1440,sackOK,timestamp
1774794709 0,nop,wscale 6> (len 40, hlim 62)
01:39:10.457150 2001:d30:101:5::12:12.47111 >
2001:d30:101:624::af2d:ba16.80: S [tcp sum ok]
2836639686:2836639686(0) win 5760 <mss 1440,sackOK,timestamp
1774800709 0,nop,wscale 6> (len 40, hlim 62)
# tcpdump -nvvi vio0 -c 10 dst 175.45.186.22
tcpdump: listening on vio0, link-type EN10MB
tcpdump: WARNING: compensating for unaligned libpcap packets
01:39:10.457194 202.249.25.3.55753 > 175.45.186.22.80: S [bad tcp
cksum 90b2!] 2836639686:2836639686(0) win 5760 <mss
1440,sackOK,timestamp 1774800709 0,nop,wscale 6> (DF) (ttl 62, id
62606, len 60)
01:39:22.403999 202.249.25.3.60635 > 175.45.186.22.80: S [bad tcp
cksum 90b2!] 2370813582:2370813582(0) win 5760 <mss
1440,sackOK,timestamp 1774812716 0,nop,wscale 6> (DF) (ttl 62, id
28055, len 60)
01:39:25.389106 202.249.25.3.60635 > 175.45.186.22.80: S [bad tcp
cksum 90b2!] 2370813582:2370813582(0) win 5760 <mss
1440,sackOK,timestamp 1774815716 0,nop,wscale 6> (DF) (ttl 62, id
64786, len 60)
01:39:31.358330 202.249.25.3.60635 > 175.45.186.22.80: S [bad tcp
cksum 90b2!] 2370813582:2370813582(0) win 5760 <mss
1440,sackOK,timestamp 1774821716 0,nop,wscale 6> (DF) (ttl 62, id
35730, len 60)
---------------------------------------------
somehow above settings do not work as expected since client can not
reach the destination:
%curl -o /dev/null http://cloud.ub.ac.id
curl: (7) Failed to connect to 175.45.186.22: Network is unreachable
%curl -6 -o /dev/null http://cloud.ub.ac.id
curl: (7) couldn't connect to host
did i miss something here? where's should i do debugging?
thanks!
--
-dikshie-
