> On 9 Apr 2021, at 18:55, Martin <martin...@protonmail.com> wrote:
>
> Hello list,
>
> I have working IPv4 OpenBSD router. There are no problems with native IPv4
> and IPv6 traffic filtering/redirecting at all.
>
> Now stuck with filtering IPv4 traffic encapsulated in IPv6 tunnel using gif
> interface.
>
> IPv6 interface is tun0 which has assigned unique IPv6 address, and gif0 has
> the same unique IPv6 as tun0 with wrapped IPv4 into IPv6 as shows in configs.
>
> The same configuration from the opposite side, except IPv4 and IPv6 source
> and destination addresses reversed to make a tunnel.
>
> I'm not sure if I needed to use a bridge between tun0 and gif0 to have it
> working.
>
> Looking for appropriate PF filtering rule to pass IPv4 encapsulated traffic
> appearing on tun0 and blocks by "block all" PF rule for some reason.
>
> Any ideas welcome.
>
> === Side-a ===
>
> # cat /etc/hostname.gif0
> # gif0
> up
> description 'IPv4 over IPv6 tunnel'
> # tunnel [src IPv6] [dst IPv6]
> tunnel dddd:cccc:bbbb:aaaa::18b5 aaaa:bbbb:cccc:dddd::a503
> inet alias 10.190.0.1
> dest 10.190.0.2
>
> # ifconfig tun0
> tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
> index 44 priority 0 llprio 3
> groups: tun
> status: active
> inet6 fe80::5054:ffc:fe04:f824%tun0 -> prefixlen 64 scopeid 0x2c
> inet6 dddd:cccc:bbbb:aaaa::18b5 -> prefixlen 48
>
> === Side-b ===
>
> # cat /etc/hostname.gif0
> # gif0
> up
> description 'IPv4 over IPv6 tunnel'
> # tunnel [src IPv6] [dst IPv6]
> tunnel aaaa:bbbb:cccc:dddd::a503 dddd:cccc:bbbb:aaaa::18b5
> inet alias 10.190.0.2
> dest 10.190.0.1
>
> # ifconfig tun0
> tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
> index 44 priority 0 llprio 3
> groups: tun
> status: active
> inet6 fe80::2a15:f3af:fefb:a3b0%tun0 -> prefixlen 64 scopeid 0x2c
> inet6 aaaa:bbbb:cccc:dddd::a503 -> prefixlen 48
>
Hi Martin,
bridge(4) only works with Ethernet interfaces, there is no equivalent to
bridge(4) for tunnels. I don't think that's related or necessary for solving
your problem though.
Without a look at your ipv6 routing table it's hard to tell what could be
happening here. My first impression is that your routers don't have routes for
the IPv6 endpoints over the tun0 interfaces. For this to work, I'd expect to
see something like this in your tun0 output:
=== Side-a ===
# ifconfig tun0
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
index 44 priority 0 llprio 3
groups: tun
status: active
inet6 fe80::5054:ffc:fe04:f824%tun0 -> prefixlen 64 scopeid 0x2c
inet6 dddd:cccc:bbbb:aaaa::18b5 -> aaaa:bbbb:cccc:dddd::a503 prefixlen
128
and:
=== Side-b ===
# ifconfig tun0
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
index 44 priority 0 llprio 3
groups: tun
status: active
inet6 fe80::2a15:f3af:fefb:a3b0%tun0 -> prefixlen 64 scopeid 0x2c
inet6 aaaa:bbbb:cccc:dddd::a503 -> dddd:cccc:bbbb:aaaa::18b5 prefixlen
128
This isn't strictly necessary though, the important thing is that the route to
the dst IPv6 endpoint is over tun0. You should be able to check if that is the
case with "route get [dst IPv6]" and looking for tun0 in the "interface:" line.
You could also be able to ping6 between the IPv6 tunnel endpoints too. If ping6
isn't working, then I wouldn't expect gif traffic to work either.
Cheers,
dlg
