On 2014/11/13 21:55, Kamil Jiwa wrote:
> Hi, I've got an IPv6 network that I'd like to connect to an IPv4
> network with a NAT64 router. The router has two interfaces with the
> following configurations:
>
> - em0: internal, IPv6 network
> - IPv4 address: 10.0.66.1/24
> - IPv6 address: fc00::1/64
>
> - em1: external, IPv4 network
> - IPv4 address: DHCP
> - IPv6 address: none
>
> I've enabled IP forwarding:
>
> # sysctl net.inet.ip.forwarding
> net.inet.ip.forwarding=1
> # sysctl net.inet6.ip6.forwarding
> net.inet6.ip6.forwarding=1
>
> Here's my /etc/pf.conf _before_ adding any NAT64 rules. Note that it
> is set up to perform NAT44 and I've verified that part works.
>
> set block-policy return
> set loginterface egress
> set skip on lo
> match out on egress inet from em0:network to any nat-to (egress:0)
> block in log
> pass out quick
> pass in inet proto icmp all icmp-type echoreq
> pass in on em0
>
> I'd like to translate any requests going to fc00::ffff:0:0/96 into
> IPv4 requests. An example address is 173.194.33.80 (www.google.com).
> This gets mapped to fc00::ffff:adc2:2150. I expected the following
> rule to work:
>
> pass in on em0 inet6 from any to fc00::ffff:0:0/96 af-to inet from (em0)
These rules are correct, the problem is occurring before packets
reach PF - you need a valid route table entry otherwise they will
be rejected earlier in the stack.
Not fully tested as I have v6 routes on my machines, but something
like this should be enough:
route add -inet6 default ::1 -reject
> When I try to ping Google (with the address above) address from
> another host on the internal network I get these errors:
>
> $ ping6 fc00::ffff:adc2:2150
BTW there is another valid address format which saves a manual
hex conversion:
$ ping6 fc00::ffff:173.194.33.80
