Dear list, I'm using pf on openbsd on my gateway, and decided to get some IPv6 connectivity. I did it a couple of years ago without troubles, and thought I'd have little troubles repeating the operation tonight.
My ISP provides native IPv6, so it's only a question of configuring pppd, binding an ipv6 to one interface and running rtadvd to configure the other hosts of the lan. After updating my pppd and managing to get IPV6CP working, I assigned one of my IPv6 addresses on one of the internal interfaces, and tried basic connectivity checks, like ping6 and traceroute6 (which were allowed in my pf.conf). While running these commands, I had tcpdump snooping on tun0 (I use dsl here, so my internet is tun0), and quickly noticed the source IPv6 for the packets was a local link address. I was quite puzzled and didn't immediately think about pf being the cause of the problem, and spent quite some time investigating. The local link address used was the address of tun0. Here are the commands that were puzzling me: ---><--- beast# ping6 www.kame.net PING6(56=40+8+8 bytes) 2001:7a8:3ef3::1 --> 2001:200:0:8002:203:47ff:fea5:3085 [...] --><--- and in another shell ---><--- tcpdump: listening on tun0, link-type LOOP 23:34:06.640287 fe80::200:b4ff:feaa:303f > 2001:200:0:8002:203:47ff:fea5:3085: icmp6: echo request ---><--- As I got rtadvd working, I tried the connectivity checks from another host in my lan, but still had the same results with tcpdump. I wasn't blaming pf for I thought nat wouldn't apply for ipv6. I still double checked my pf.conf, and spent some time looking at the following line: ---><--- nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if) ---><--- I changed this line to ---><--- nat on $ext_if inet from $lan_address to any -> ($ext_if) ---><--- and reloaded the ruleset and no longer had the ipv6 problems. I tested that on openbsd as stated above, and I don't know if the behavior is the same on freebsd or netbsd. Should this be considered normal, working as intended, or should this be considered a bug? I personnaly don't see a point in using NAT and IPv6, and certainly not to NAT with a local link address ;-) regards, -- Jerome