On 2014/11/13 21:55, Kamil Jiwa wrote: > Hi, I've got an IPv6 network that I'd like to connect to an IPv4 > network with a NAT64 router. The router has two interfaces with the > following configurations: > > - em0: internal, IPv6 network > - IPv4 address: 10.0.66.1/24 > - IPv6 address: fc00::1/64 > > - em1: external, IPv4 network > - IPv4 address: DHCP > - IPv6 address: none > > I've enabled IP forwarding: > > # sysctl net.inet.ip.forwarding > net.inet.ip.forwarding=1 > # sysctl net.inet6.ip6.forwarding > net.inet6.ip6.forwarding=1 > > Here's my /etc/pf.conf _before_ adding any NAT64 rules. Note that it > is set up to perform NAT44 and I've verified that part works. > > set block-policy return > set loginterface egress > set skip on lo > match out on egress inet from em0:network to any nat-to (egress:0) > block in log > pass out quick > pass in inet proto icmp all icmp-type echoreq > pass in on em0 > > I'd like to translate any requests going to fc00::ffff:0:0/96 into > IPv4 requests. An example address is 173.194.33.80 (www.google.com). > This gets mapped to fc00::ffff:adc2:2150. I expected the following > rule to work: > > pass in on em0 inet6 from any to fc00::ffff:0:0/96 af-to inet from (em0)
These rules are correct, the problem is occurring before packets reach PF - you need a valid route table entry otherwise they will be rejected earlier in the stack. Not fully tested as I have v6 routes on my machines, but something like this should be enough: route add -inet6 default ::1 -reject > When I try to ping Google (with the address above) address from > another host on the internal network I get these errors: > > $ ping6 fc00::ffff:adc2:2150 BTW there is another valid address format which saves a manual hex conversion: $ ping6 fc00::ffff:173.194.33.80