Dear list,
I'm using pf on openbsd on my gateway, and decided to get some IPv6
connectivity. I did it a couple of years ago without troubles, and
thought I'd have little troubles repeating the operation tonight.
My ISP provides native IPv6, so it's only a question of configuring
pppd, binding an ipv6 to one interface and running rtadvd to configure
the other hosts of the lan.
After updating my pppd and managing to get IPV6CP working, I assigned
one of my IPv6 addresses on one of the internal interfaces, and tried
basic connectivity checks, like ping6 and traceroute6 (which were
allowed in my pf.conf). While running these commands, I had tcpdump
snooping on tun0 (I use dsl here, so my internet is tun0), and quickly
noticed the source IPv6 for the packets was a local link address. I was
quite puzzled and didn't immediately think about pf being the cause of
the problem, and spent quite some time investigating. The local link
address used was the address of tun0.
Here are the commands that were puzzling me:
---><---
beast# ping6 www.kame.net
PING6(56=40+8+8 bytes) 2001:7a8:3ef3::1 -->
2001:200:0:8002:203:47ff:fea5:3085
[...]
--><---
and in another shell
---><---
tcpdump: listening on tun0, link-type LOOP
23:34:06.640287 fe80::200:b4ff:feaa:303f >
2001:200:0:8002:203:47ff:fea5:3085: icmp6: echo request
---><---
As I got rtadvd working, I tried the connectivity checks from another
host in my lan, but still had the same results with tcpdump. I wasn't
blaming pf for I thought nat wouldn't apply for ipv6. I still double
checked my pf.conf, and spent some time looking at the following line:
---><---
nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)
---><---
I changed this line to
---><---
nat on $ext_if inet from $lan_address to any -> ($ext_if)
---><---
and reloaded the ruleset and no longer had the ipv6 problems.
I tested that on openbsd as stated above, and I don't know if the
behavior is the same on freebsd or netbsd.
Should this be considered normal, working as intended, or should this
be considered a bug? I personnaly don't see a point in using NAT and
IPv6, and certainly not to NAT with a local link address ;-)
regards,
--
Jerome
