On Aug 20, 2014, at 7:43 AM, Adam Thompson <athom...@athompso.net> wrote: > I know - I could tell by the addresses you provided :-). So much for *my* anonymity... ;-) > > Basically, yes. Although you have a "router" (does things with IP packets), > not a "bridge" (does things with Ethernet frames) - that's a huge difference. > I don't think I've ever relied on address autoconfig - it looks very nice in > theory but has some limitations in practice. I would test everything using > static IPs and static routes first, and then move on to rtadvd. > > HE assigns two blocks of addresses with every tunnel - the point-to-point > tunnel addresses and the "Routed IPv6 Prefixes". > You want to use the IPv6 Tunnel Endpoints on the gif0 tunnel, which is > presumably built on top of $external_if , and you want to use the Routed IPv6 > Prefixes on $internal_if. Note that is perfectly valid to have public IPv6 > addresses running on the same subnet as private (RFC1918) IPv4 addresses - > IPv4 traffic gets NAT'd, IPv6 traffic merely gets routed.
rtadvd: Yes, one thing at a time. Static IPs first. router vs. bridge: good point. Because I those "routed IPv6 Prefixes" are available, there are two networks in play, so it's routing and not bridging. I was initially operating under the assumption that there was one network for both the tunnel endpoint and the other hosts, so I thought "bridge!". But that isn't the case. > > Do beware that your pf ruleset must pass IPv6 traffic without NAT'ing it... I > think this is the default now, not sure. This, I will have to dig into. I wasn't aware that PF was enabled. But I suspect you can't get very far in these setups without it. Another responder provided some PF rules to try, so I can study those.