NAT64 troubleshooting

Thu, 13 Nov 2014 23:31:05 -0800 

Hi, I've got an IPv6 network that I'd like to connect to an IPv4
network with a NAT64 router. The router has two interfaces with the
following configurations:

    - em0: internal, IPv6 network
        - IPv4 address: 10.0.66.1/24
        - IPv6 address: fc00::1/64

    - em1: external, IPv4 network
        - IPv4 address: DHCP
        - IPv6 address: none

I've enabled IP forwarding:

    # sysctl net.inet.ip.forwarding
    net.inet.ip.forwarding=1
    # sysctl net.inet6.ip6.forwarding
    net.inet6.ip6.forwarding=1

Here's my /etc/pf.conf _before_ adding any NAT64 rules. Note that it
is set up to perform NAT44 and I've verified that part works.

    set block-policy return
    set loginterface egress
    set skip on lo
    match out on egress inet from em0:network to any nat-to (egress:0)
    block in log
    pass out quick
    pass in inet proto icmp all icmp-type echoreq
    pass in on em0

I'd like to translate any requests going to fc00::ffff:0:0/96 into
IPv4 requests. An example address is 173.194.33.80 (www.google.com).
This gets mapped to fc00::ffff:adc2:2150. I expected the following
rule to work:

    pass in on em0 inet6 from any to fc00::ffff:0:0/96 af-to inet from (em0)

When I try to ping Google (with the address above) address from
another host on the internal network I get these errors:

    $ ping6 fc00::ffff:adc2:2150
    PING fc00::ffff:adc2:2150(fc00::ffff:adc2:2150) 56 data bytes
    From fc00::33 icmp_seq=1 Destination unreachable: Address unreachable

I can see the packets coming in on the router itself.

    # tcpdump -nvvi em0 -c 10
    tcpdump: listening on em0, link-type EN10MB
    tcpdump: WARNING: compensating for unaligned libpcap packets
    21:44:21.280527 fc00::33 > ff02::1:ffc2:2150: icmp6: neighbor sol:
who has fc00::ffff:adc2:2150(src lladdr: 08:00:27:71:55:eb) [icmp6
cksum ok] (len 32, hlim 255)
    21:44:22.282785 fc00::33 > ff02::1:ffc2:2150: icmp6: neighbor sol:
who has fc00::ffff:adc2:2150(src lladdr: 08:00:27:71:55:eb) [icmp6
cksum ok] (len 32, hlim 255)

I know the router itself works with NAT44 because I can assign the
host an internal IPv4 address and ping external sites. I'm trying to
understand what is missing for IPv6 packets to be translated and
routed by the router. Thanks.

Kamil

Reply via email to