Penned by Stephan A. Rickauer on 20081219 11:01.16, we have: | Thanks a lot for your help, Todd. | | On Wed, 2008-12-17 at 13:01 -0600, Todd T. Fries wrote: | > | The ipv6 only client gets its ipv6 address via the rtadvd running on the | > | gatway's internal interface. The gateway's external interface is ipv4 | > | only. | > | > So however you've managed it you have an IPv6 subnet internally. But it is | > not routed to the world? Shame. Go get a tunnel broker and fix this! You | > really are missing out.. | | Yep, University gave us five ipv6 ranges without being able to route | them (yet).
Yecht. *sigh*. Hopefully this changes ;-) | > | The ipv6 host can already ping6 the gatway. DNS I have 'fixed' with | > | totd, so ipv4 addressed are mapped into the ipv6 space: | > | | > | ipv6-client:~$ host www.google.ch | > | www.l.google.com has address 74.125.39.147 | > | www.l.google.com has IPv6 address 2001:620:10:1401::4a7d:2767 | > | | > | | > | The default ipv6-gateway of my ipv6 client is properly set | > | in /etc/mygate. | > | | > | I try to use pf on the gateway to intercept tcp/ip6 traffic and to feed | > | it into relayd. The relevant parts are as follows: | > | | > | ---pf.conf-- | > | rdr pass inet6 proto tcp from lan:network -> :: port 8081 | > | ---pf.conf-- | > | > Wrong. Try this instead: | > | > rdr pass inet6 proto tcp from lan:network -> lan port 8081 | | > You cannot redirect to `::', a wildcard address. You must redirect to | > a specific address. | | Oh, yes. This is wrong indeed. I wonder why pfctl hasn't bailed out. | However, using "-> ::1" should then do the trick as well, right? Sorry I was not clear. With IPv6, unlike IPv4, it is not possible to redirect to `localhost'. You must redirect to a global scope address. [..] | > .. this way http traffic gets some info injected about being forwarded. | | I will take care of http as soon as the basic setup works. Sure. [..] | > I think the pf.conf tweak may be all thats necessary for you to see traffic | > via relayd. | | Unfortunately, it doesn't. The packets aren't blocked by pf but are | properly redirected to relayd. Relayd stays quiet. | | On a side note: I also don't understand why the wrong default gateway is | advertised to my client. Instead of my global IPv6 address, the | local-link address is propagated. I was under the impression rtadvd will | take care of it: | | gw$ cat /etc/rtadvd.conf | em0:\ | :addr="2001:620:10:1401::":prefixlen#64:raflags#0: You have a wrong understanding of IPv6. It is recommended to use the link local address for the router(s) since they will always be link local. Routing to a global scope address is a last choice. Don't over-ride the defaults here, you have no good reason to. | client$ sudo route -n show -inet6 | grep default | default fe80::20c:f1ff:fe8f:a9c4%em0 UG 0 43 - em0 | | client$ cat /etc/mygate | 2001:620:10:1401::eeee Choose one or the other. You either need a default route in /etc/mygate and a static IP for the client or you need rtsol(d). One trick I picked up from ISC is if you want your client to be '::eeee' then set this in the hostname.if file: inet6 fe80::eeee rtsol .. and you'll get global scope addresses on that host that end in ::eeee. [..] | > Hope this provides some useful pointers! | | Well, at least my pf.conf is fixed now! Thanks again. But I still | struggle with relayd. I'll try to setup this case at home on my much | simpler environment over christmess. Maybe that'll work. I'm still convinced the pf.conf is the problem, redirect to a global scope IPv6 address and I suspect you'll be much better off. Thanks, -- Todd Fries .. [email protected] _____________________________________________ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ 250797 (FWD) | \ \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
